hygieia / hygieia-relateditems-collector Goto Github PK

[WIP] - Hygieia collector to process records in related_items collection to aid association of collector_items with dashboards.

License: Apache License 2.0

Dockerfile 0.64% Shell 2.74% Java 96.62%

hygieia-relateditems-collector's Introduction

Due to changes in the priorities, this project is currently not being supported. The project is archived as of 6/1/2023 and will be available in a read-only state. Please note, since archival, the project is not maintained or reviewed

hygieia-relateditems-collector

This project repository is a scheduled data collection from relatedItems collection in Hygieia and post it to subscriber end point.

Setup Instructions - Build & Deploy

To configure the Related Items collector Job, execute the following steps:

Step 1: Change Directory

Change the current working directory to the hygieia-relatedItems-collector directory of your source code installation.

For example, in the Mac terminal, run the following command:

cd /Users/<user>/git/forks/hygieia-relateditems-collector

Step 2: Run Maven Build

Run the maven build to package the project into an executable jar file:

 mvn install

The output file hygieia-relateditems-collector.jar is generated in the hygieia-relateditems-collector/target folder.

Step 3: Set Parameters in Application Properties File

Set the configurable parameters in the application.properties file to connect to the Dashboard MongoDB database instance, including properties required by the relateditems-collector Job.

For information about sourcing the application properties file, refer to the Spring Boot Documentation.

To configure parameters for the relateditems-collector Job, refer to the sample application.properties file.

Step 4: Deploy the Executable File

To deploy the hygieia-relateditems-collector.jar file, change directory to hygieia-relateditems-collector/target, and then execute the following from the command prompt:

java -jar hygieia-relateditems-collector.jar --spring.config.name=subversion --spring.config.location=[path to application.properties file]

Sample Application Properties File

The sample application.properties file lists parameter values to configure the relateditems-collector Job. Set the parameters based on your environment setup.

		# Database Name
		dbname=dashboarddb

		# Database HostName - default is localhost
		dbhost=localhost

		# Database Port - default is 27017
		dbport=27017

		# MongoDB replicaset
		dbreplicaset=[false if you are not using MongoDB replicaset]
		dbhostport=[host1:port1,host2:port2,host3:port3]

		# Database Username - default is blank
		dbusername=dashboarduser

		# Database Password - default is blank
		dbpassword=dbpassword

		# Logging File location
		logging.file=./logs/hygieia-relateditems-collector.log

		# Collector schedule (required)
		relateditems.cron=0 0/30 * * * *

		# server address
		relateditems.subscribers[0]=<server address>

		# Optional timestamp value to configure test results by specific time
		relateditems.lastExecutedTimeStamp=

Developing.

Before making any contribvutions, we suggest that you read the CONTRIBUTING.md and the Development Docs (housed in ./src/docs/README.md). But for the most part, running:

mvn clean test install site

will test and generate the project metrics (navigable from the locally built ./target/site/index.html -- see "Project Reports" in the left nav for all of the available reports). We generally want these reports to look good.

hygieia-relateditems-collector's People

Contributors

Stargazers

Watchers

Forkers

courtneyp123 danielyhuang rvema vidhya9lakshmi nameisaravind vivekbuzruk isabella232 kennethlong nireesht nigeriabuddy dcanar9

hygieia-relateditems-collector's Issues

WS-2018-0124 (Medium) detected in jackson-core-2.5.0.jar

WS-2018-0124 - Medium Severity Vulnerability

Vulnerable Library - jackson-core-2.5.0.jar

Core Jackson abstractions, basic JSON streaming API implementation

Library home page: https://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.5.0/jackson-core-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - jackson-databind-2.5.0.jar
    - ❌ jackson-core-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

In Jackson Core before version 2.8.6 if the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log. If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.

Publish Date: 2018-06-24

URL: WS-2018-0124

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=WS-2018-0124

Release Date: 2018-01-24

Fix Resolution: 2.8.6

Step up your Open Source Security Game with Mend here

WS-2017-3767 (Medium) detected in spring-security-web-4.0.3.RELEASE.jar

WS-2017-3767 - Medium Severity Vulnerability

Vulnerable Library - spring-security-web-4.0.3.RELEASE.jar

spring-security-web

Library home page: http://spring.io/spring-security

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.0.3.RELEASE/spring-security-web-4.0.3.RELEASE.jar

Dependency Hierarchy:

spring-security-oauth2-2.5.0.RELEASE.jar (Root Library)
- ❌ spring-security-web-4.0.3.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

Cross-Site Request Forgery (CSRF) vulnerability was found in spring-security before 4.2.15, 5.0.15, 5.1.9, 5.2.3, and 5.3.1. SwitchUserFilter responds to all HTTP methods, making it vulnerable to CSRF attacks.

Publish Date: 2017-01-03

URL: WS-2017-3767

CVSS 3 Score Details (6.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-01-03

Fix Resolution (org.springframework.security:spring-security-web): 4.2.15.RELEASE

Direct dependency fix Resolution (org.springframework.security.oauth:spring-security-oauth2): 2.5.1.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-17531 (Critical) detected in jackson-databind-2.5.0.jar

CVE-2019-17531 - Critical Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-10-12

URL: CVE-2019-17531

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531

Release Date: 2019-10-12

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2018-8034 (High) detected in tomcat-embed-websocket-8.0.28.jar

CVE-2018-8034 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-websocket-8.0.28.jar

Core Tomcat implementation

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-websocket/8.0.28/tomcat-embed-websocket-8.0.28.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - spring-boot-starter-tomcat-1.3.0.RELEASE.jar
    - ❌ tomcat-embed-websocket-8.0.28.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Publish Date: 2018-08-01

URL: CVE-2018-8034

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034

Release Date: 2018-07-22

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-websocket): 8.0.53

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2019-17267 (Critical) detected in jackson-databind-2.5.0.jar

CVE-2019-17267 - Critical Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: 2019-10-07

URL: CVE-2019-17267

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-10-07

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

Implement Github actions for snapshot push

CVE-2020-36186 (High) detected in jackson-databind-2.5.0.jar

CVE-2020-36186 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

Publish Date: 2021-01-06

URL: CVE-2020-36186

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.5

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2020-36182 (High) detected in jackson-databind-2.5.0.jar

CVE-2020-36182 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-07

URL: CVE-2020-36182

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-07

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.5

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2019-11272 (High) detected in spring-security-core-4.0.3.RELEASE.jar

CVE-2019-11272 - High Severity Vulnerability

Vulnerable Library - spring-security-core-4.0.3.RELEASE.jar

spring-security-core

Library home page: http://spring.io/spring-security

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.0.3.RELEASE/spring-security-core-4.0.3.RELEASE.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- ❌ spring-security-core-4.0.3.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

Publish Date: 2019-06-26

URL: CVE-2019-11272

CVSS 3 Score Details (7.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11272

Release Date: 2019-06-26

Fix Resolution (org.springframework.security:spring-security-core): 4.2.13.RELEASE

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2020-11111 (High) detected in jackson-databind-2.5.0.jar

CVE-2020-11111 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).

Publish Date: 2020-03-31

URL: CVE-2020-11111

CVSS 3 Score Details (8.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113

Release Date: 2020-03-31

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2020-11112 (High) detected in jackson-databind-2.5.0.jar

CVE-2020-11112 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).

Publish Date: 2020-03-31

URL: CVE-2020-11112

CVSS 3 Score Details (8.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11112

Release Date: 2020-03-31

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2019-12814 (Medium) detected in jackson-databind-2.5.0.jar

CVE-2019-12814 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Publish Date: 2019-06-19

URL: CVE-2019-12814

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-06-19

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2017-5664 (High) detected in tomcat-embed-core-8.0.28.jar

CVE-2017-5664 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-8.0.28.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.0.28/tomcat-embed-core-8.0.28.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- ❌ tomcat-embed-core-8.0.28.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.

Publish Date: 2017-06-06

URL: CVE-2017-5664

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664

Release Date: 2017-06-06

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.44

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2020-36184 (High) detected in jackson-databind-2.5.0.jar

CVE-2020-36184 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

Publish Date: 2021-01-06

URL: CVE-2020-36184

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.5

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2014-0114 (High) detected in commons-beanutils-1.9.2.jar

CVE-2014-0114 - High Severity Vulnerability

Vulnerable Library - commons-beanutils-1.9.2.jar

Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.2/commons-beanutils-1.9.2.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- ❌ commons-beanutils-1.9.2.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Publish Date: 2014-04-30

URL: CVE-2014-0114

CVSS 3 Score Details (7.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114

Release Date: 2014-04-30

Fix Resolution (commons-beanutils:commons-beanutils): 1.9.4

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.7.12

Step up your Open Source Security Game with Mend here

CVE-2019-16942 (Critical) detected in jackson-databind-2.5.0.jar

CVE-2019-16942 - Critical Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16942

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942

Release Date: 2019-10-01

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2016-0763 (Medium) detected in tomcat-embed-core-8.0.28.jar

CVE-2016-0763 - Medium Severity Vulnerability

Vulnerable Library - tomcat-embed-core-8.0.28.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.0.28/tomcat-embed-core-8.0.28.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- ❌ tomcat-embed-core-8.0.28.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

Publish Date: 2016-02-25

URL: CVE-2016-0763

CVSS 3 Score Details (6.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0763

Release Date: 2016-02-25

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.32

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.7.12

Step up your Open Source Security Game with Mend here

CVE-2018-14721 (Critical) detected in jackson-databind-2.5.0.jar

CVE-2018-14721 - Critical Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2018-5968 (High) detected in jackson-databind-2.5.0.jar

CVE-2018-5968 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Publish Date: 2018-01-22

URL: CVE-2018-5968

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968

Release Date: 2018-01-22

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2019-12086 (High) detected in jackson-databind-2.5.0.jar

CVE-2019-12086 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Publish Date: 2019-05-17

URL: CVE-2019-12086

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Release Date: 2019-05-17

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2018-14720 (Critical) detected in jackson-databind-2.5.0.jar

CVE-2018-14720 - Critical Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2016-5007 (High) detected in multiple libraries

CVE-2016-5007 - High Severity Vulnerability

Vulnerable Libraries - spring-security-web-4.0.3.RELEASE.jar, spring-security-config-4.0.3.RELEASE.jar, spring-webmvc-4.2.5.RELEASE.jar

spring-security-web-4.0.3.RELEASE.jar

spring-security-web

Library home page: http://spring.io/spring-security

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.0.3.RELEASE/spring-security-web-4.0.3.RELEASE.jar

Dependency Hierarchy:

spring-security-oauth2-2.5.0.RELEASE.jar (Root Library)
- ❌ spring-security-web-4.0.3.RELEASE.jar (Vulnerable Library)

spring-security-config-4.0.3.RELEASE.jar

spring-security-config

Library home page: http://spring.io/spring-security

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-config/4.0.3.RELEASE/spring-security-config-4.0.3.RELEASE.jar

Dependency Hierarchy:

spring-security-oauth2-2.5.0.RELEASE.jar (Root Library)
- ❌ spring-security-config-4.0.3.RELEASE.jar (Vulnerable Library)

spring-webmvc-4.2.5.RELEASE.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/4.2.5.RELEASE/spring-webmvc-4.2.5.RELEASE.jar

Dependency Hierarchy:

spring-security-oauth2-2.5.0.RELEASE.jar (Root Library)
- ❌ spring-webmvc-4.2.5.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Publish Date: 2017-05-25

URL: CVE-2016-5007

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2016-5007

Release Date: 2017-05-25

Fix Resolution (org.springframework.security:spring-security-web): 4.1.1.RELEASE

Direct dependency fix Resolution (org.springframework.security.oauth:spring-security-oauth2): 2.5.1.RELEASE

Fix Resolution (org.springframework.security:spring-security-config): 4.1.1.RELEASE

Direct dependency fix Resolution (org.springframework.security.oauth:spring-security-oauth2): 2.5.1.RELEASE

Fix Resolution (org.springframework:spring-webmvc): 4.1.1.RELEASE

Direct dependency fix Resolution (org.springframework.security.oauth:spring-security-oauth2): 2.5.1.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-36180 (High) detected in jackson-databind-2.5.0.jar

CVE-2020-36180 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-07

URL: CVE-2020-36180

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-07

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.5

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2020-36188 (High) detected in jackson-databind-2.5.0.jar

CVE-2020-36188 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

Publish Date: 2021-01-06

URL: CVE-2020-36188

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.5

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2020-11619 (High) detected in jackson-databind-2.5.0.jar

CVE-2020-11619 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

Publish Date: 2020-04-07

URL: CVE-2020-11619

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11619

Release Date: 2020-04-07

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2017-8028 (High) detected in spring-ldap-core-2.0.2.RELEASE.jar

CVE-2017-8028 - High Severity Vulnerability

Vulnerable Library - spring-ldap-core-2.0.2.RELEASE.jar

spring-ldap-core

Library home page: http://www.springframework.org/ldap

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/ldap/spring-ldap-core/2.0.2.RELEASE/spring-ldap-core-2.0.2.RELEASE.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-security-ldap-4.0.3.RELEASE.jar
  - ❌ spring-ldap-core-2.0.2.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.

Publish Date: 2017-11-27

URL: CVE-2017-8028

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8028

Release Date: 2017-11-27

Fix Resolution (org.springframework.ldap:spring-ldap-core): 2.3.2.RELEASE

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.7.12

Step up your Open Source Security Game with Mend here

CVE-2020-36189 (High) detected in jackson-databind-2.5.0.jar

CVE-2020-36189 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

Publish Date: 2021-01-06

URL: CVE-2020-36189

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.5

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2020-8840 (Critical) detected in jackson-databind-2.5.0.jar

CVE-2020-8840 - Critical Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Publish Date: 2020-02-10

URL: CVE-2020-8840

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-02-10

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2022-27772 (High) detected in spring-boot-1.3.0.RELEASE.jar

CVE-2022-27772 - High Severity Vulnerability

Vulnerable Library - spring-boot-1.3.0.RELEASE.jar

Spring Boot

Library home page: http://projects.spring.io/spring-boot/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/1.3.0.RELEASE/spring-boot-1.3.0.RELEASE.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- ❌ spring-boot-1.3.0.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED ** spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer.

Publish Date: 2022-03-30

URL: CVE-2022-27772

CVSS 3 Score Details (7.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cm59-pr5q-cw85

Release Date: 2022-03-30

Fix Resolution (org.springframework.boot:spring-boot): 2.2.11.RELEASE

Direct dependency fix Resolution (com.capitalone.dashboard:core): 4.0.1

Step up your Open Source Security Game with Mend here

CVE-2020-36181 (High) detected in jackson-databind-2.5.0.jar

CVE-2020-36181 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-06

URL: CVE-2020-36181

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.5

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2018-12022 (High) detected in jackson-databind-2.5.0.jar

CVE-2018-12022 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12022

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-21

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2021-20190 (High) detected in jackson-databind-2.5.0.jar

CVE-2021-20190 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Publish Date: 2021-01-19

URL: CVE-2021-20190

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-19

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.5

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2019-10202 (Critical) detected in jackson-databind-2.5.0.jar

CVE-2019-10202 - Critical Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Publish Date: 2019-10-01

URL: CVE-2019-10202

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/08302h5kp2l9ry2zq8vydomlhn0fg4j4

Release Date: 2019-10-01

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

WS-2018-0125 (Medium) detected in jackson-core-2.5.0.jar

WS-2018-0125 - Medium Severity Vulnerability

Vulnerable Library - jackson-core-2.5.0.jar

Core Jackson abstractions, basic JSON streaming API implementation

Library home page: https://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.5.0/jackson-core-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - jackson-databind-2.5.0.jar
    - ❌ jackson-core-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

OutOfMemoryError when writing BigDecimal In Jackson Core before version 2.7.7.
When enabled the WRITE_BIGDECIMAL_AS_PLAIN setting, Jackson will attempt to write out the whole number, no matter how large the exponent.

Publish Date: 2016-08-25

URL: WS-2018-0125

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2016-08-25

Fix Resolution: com.fasterxml.jackson.core:jackson-core:2.7.7

Step up your Open Source Security Game with Mend here

Implement Github actions for PR checks

CVE-2018-1199 (Medium) detected in spring-core-4.2.5.RELEASE.jar

CVE-2018-1199 - Medium Severity Vulnerability

Vulnerable Library - spring-core-4.2.5.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.2.5.RELEASE/spring-core-4.2.5.RELEASE.jar

Dependency Hierarchy:

spring-web-4.2.5.RELEASE.jar (Root Library)
- ❌ spring-core-4.2.5.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.

Publish Date: 2018-03-16

URL: CVE-2018-1199

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1199

Release Date: 2018-01-29

Fix Resolution (org.springframework:spring-core): 4.3.14.RELEASE

Direct dependency fix Resolution (org.springframework:spring-web): 4.3.14.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2018-12023 (High) detected in jackson-databind-2.5.0.jar

CVE-2018-12023 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12023

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-17

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2019-16335 (Critical) detected in jackson-databind-2.5.0.jar

CVE-2019-16335 - Critical Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Publish Date: 2019-09-15

URL: CVE-2019-16335

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-09-15

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2020-36185 (High) detected in jackson-databind-2.5.0.jar

CVE-2020-36185 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

Publish Date: 2021-01-06

URL: CVE-2020-36185

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.5

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2019-14439 (High) detected in jackson-databind-2.5.0.jar

CVE-2019-14439 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

Publish Date: 2019-07-30

URL: CVE-2019-14439

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439

Release Date: 2019-07-30

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2020-11113 (High) detected in jackson-databind-2.5.0.jar

CVE-2020-11113 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

Publish Date: 2020-03-31

URL: CVE-2020-11113

CVSS 3 Score Details (8.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113

Release Date: 2020-03-31

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2017-12617 (High) detected in tomcat-embed-core-8.0.28.jar

CVE-2017-12617 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-8.0.28.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.0.28/tomcat-embed-core-8.0.28.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- ❌ tomcat-embed-core-8.0.28.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Publish Date: 2017-10-04

URL: CVE-2017-12617

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617

Release Date: 2017-10-03

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.47

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2016-0762 (Medium) detected in tomcat-embed-core-8.0.28.jar

CVE-2016-0762 - Medium Severity Vulnerability

Vulnerable Library - tomcat-embed-core-8.0.28.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.0.28/tomcat-embed-core-8.0.28.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- ❌ tomcat-embed-core-8.0.28.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

Publish Date: 2017-08-10

URL: CVE-2016-0762

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/1872f96bad43647832bdd84a408794cd06d9cbb557af63085ca10009@%3Cannounce.tomcat.apache.org%3E

Release Date: 2016-10-27

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.37

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2020-36187 (High) detected in jackson-databind-2.5.0.jar

CVE-2020-36187 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

Publish Date: 2021-01-06

URL: CVE-2020-36187

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.5

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2016-5388 (High) detected in tomcat-embed-core-8.0.28.jar

CVE-2016-5388 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-8.0.28.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.0.28/tomcat-embed-core-8.0.28.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- ❌ tomcat-embed-core-8.0.28.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Publish Date: 2016-07-19

URL: CVE-2016-5388

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388

Release Date: 2016-07-19

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.5.5

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2020-36183 (High) detected in jackson-databind-2.5.0.jar

CVE-2020-36183 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

Publish Date: 2021-01-07

URL: CVE-2020-36183

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-07

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.5

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2019-16943 (Critical) detected in jackson-databind-2.5.0.jar

CVE-2019-16943 - Critical Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16943

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943

Release Date: 2019-10-01

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.3

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

Implement CD for push to central Maven Repo and Dockerhub

CVE-2020-11620 (High) detected in jackson-databind-2.5.0.jar

CVE-2020-11620 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

Publish Date: 2020-04-07

URL: CVE-2020-11620

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11620

Release Date: 2020-04-07

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

CVE-2019-14540 (Critical) detected in jackson-databind-2.5.0.jar

CVE-2019-14540 - Critical Severity Vulnerability

Vulnerable Library - jackson-databind-2.5.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.5.0/jackson-databind-2.5.0.jar

Dependency Hierarchy:

core-3.7.11.jar (Root Library)
- spring-boot-starter-web-1.3.0.RELEASE.jar
  - ❌ jackson-databind-2.5.0.jar (Vulnerable Library)

Found in HEAD commit: 4c8d5a1732722418ec10d2f1f5fd7e7a6e43c83b

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540

Release Date: 2019-09-15

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.10.0

Step up your Open Source Security Game with Mend here

hygieia / hygieia-relateditems-collector Goto Github PK

hygieia-relateditems-collector's Introduction

Due to changes in the priorities, this project is currently not being supported. The project is archived as of 6/1/2023 and will be available in a read-only state. Please note, since archival, the project is not maintained or reviewed

hygieia-relateditems-collector

Setup Instructions - Build & Deploy

Sample Application Properties File

Developing.

hygieia-relateditems-collector's People

Contributors

Stargazers

Watchers

Forkers

hygieia-relateditems-collector's Issues

WS-2018-0124 - Medium Severity Vulnerability

WS-2017-3767 - Medium Severity Vulnerability

CVE-2019-17531 - Critical Severity Vulnerability

CVE-2018-8034 - High Severity Vulnerability

CVE-2019-17267 - Critical Severity Vulnerability

CVE-2020-36186 - High Severity Vulnerability

CVE-2020-36182 - High Severity Vulnerability

CVE-2019-11272 - High Severity Vulnerability

CVE-2020-11111 - High Severity Vulnerability

CVE-2020-11112 - High Severity Vulnerability

CVE-2019-12814 - Medium Severity Vulnerability

CVE-2017-5664 - High Severity Vulnerability

CVE-2020-36184 - High Severity Vulnerability

CVE-2014-0114 - High Severity Vulnerability

CVE-2019-16942 - Critical Severity Vulnerability

CVE-2016-0763 - Medium Severity Vulnerability

CVE-2018-14721 - Critical Severity Vulnerability

CVE-2018-5968 - High Severity Vulnerability

CVE-2019-12086 - High Severity Vulnerability

CVE-2018-14720 - Critical Severity Vulnerability

CVE-2016-5007 - High Severity Vulnerability

CVE-2020-36180 - High Severity Vulnerability

CVE-2020-36188 - High Severity Vulnerability

CVE-2020-11619 - High Severity Vulnerability

CVE-2017-8028 - High Severity Vulnerability

CVE-2020-36189 - High Severity Vulnerability

CVE-2020-8840 - Critical Severity Vulnerability

CVE-2022-27772 - High Severity Vulnerability

CVE-2020-36181 - High Severity Vulnerability

CVE-2018-12022 - High Severity Vulnerability

CVE-2021-20190 - High Severity Vulnerability

CVE-2019-10202 - Critical Severity Vulnerability

WS-2018-0125 - Medium Severity Vulnerability

CVE-2018-1199 - Medium Severity Vulnerability

CVE-2018-12023 - High Severity Vulnerability

CVE-2019-16335 - Critical Severity Vulnerability

CVE-2020-36185 - High Severity Vulnerability

CVE-2019-14439 - High Severity Vulnerability

CVE-2020-11113 - High Severity Vulnerability

CVE-2017-12617 - High Severity Vulnerability

CVE-2016-0762 - Medium Severity Vulnerability

CVE-2020-36187 - High Severity Vulnerability

CVE-2016-5388 - High Severity Vulnerability

CVE-2020-36183 - High Severity Vulnerability

CVE-2019-16943 - Critical Severity Vulnerability

CVE-2020-11620 - High Severity Vulnerability

CVE-2019-14540 - Critical Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org