Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Publish Date: 2019-06-24

URL: CVE-2019-12384

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@c9ef4a1

Release Date: 2019-06-13

Fix Resolution: Replace or update the following files: SubTypeValidator.java, VERSION

Vulnerable Library - log4j-1.2.12.jar

null

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.jar

Dependency Hierarchy:

• maven-compiler-plugin-3.3.jar (Root Library)
  • plexus-container-default-1.5.5.jar
    • xbean-reflect-3.4.jar
      • ❌ log4j-1.2.12.jar (Vulnerable Library)

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - struts-core-1.3.8.jar

Apache Struts

Library home page: http://struts.apache.org

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.jar

Dependency Hierarchy:

• maven-reporting-impl-3.0.0.jar (Root Library)
  • doxia-site-renderer-1.7.4.jar
    • velocity-tools-2.0.jar
      • ❌ struts-core-1.3.8.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.

Publish Date: 2016-07-04

URL: CVE-2016-1181

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: kawasima/struts1-forever@eda3a79

Release Date: 2016-06-08

Fix Resolution: Replace or update the following file: ActionServlet.java

Vulnerable Library - plexus-utils-3.0.10.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Library home page: http://plexus.codehaus.org/plexus-utils

Path to vulnerable library: /bw6-plugin-maven/Source/bw6-studio-maven-plugin/bw6.studio.maven.plugin/lib/plexus-utils-3.0.10.jar

Dependency Hierarchy:

• ❌ plexus-utils-3.0.10.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

Publish Date: 2018-01-03

URL: CVE-2017-1000487

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1000487

Release Date: 2018-01-03

Fix Resolution: 3.0.16

Vulnerable Library - httpclient-4.0.2.jar

HttpComponents Client (base module)

Library home page: http://hc.apache.org/httpcomponents-client

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/httpcomponents/httpclient/4.0.2/httpclient-4.0.2.jar

Dependency Hierarchy:

• maven-reporting-impl-3.0.0.jar (Root Library)
  • doxia-core-1.7.jar
    • ❌ httpclient-4.0.2.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

Apache httpclient before 4.5.3 are vulnerable to Directory Traversal. The user-provided path was able to override the specified host, resulting in giving network access to a sensitive environment.

Publish Date: 2019-05-30

URL: WS-2017-3734

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/HTTPCLIENT-1803

Release Date: 2019-05-30

Fix Resolution: httpcore-5.0-alpha3-RC1

Vulnerable Library - commons-codec-1.3.jar

The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-codec/commons-codec/1.3/commons-codec-1.3.jar

Dependency Hierarchy:

• maven-reporting-impl-3.0.0.jar (Root Library)
  • doxia-core-1.7.jar
    • httpclient-4.0.2.jar
      • ❌ commons-codec-1.3.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.

Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability

Publish Date: 2007-10-07

URL: WS-2009-0001

CVSS 2 Score Details (0.0)

Base Score Metrics not available

Vulnerable Libraries - struts-core-1.3.8.jar, commons-beanutils-1.7.0.jar

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Publish Date: 2014-04-30

URL: CVE-2014-0114

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://security.gentoo.org/glsa/201607-09

Release Date: 2016-07-20

Fix Resolution: All Commons BeanUtils users should upgrade to the latest version >= commons-beanutils-1.9.2

Vulnerable Library - commons-collections-3.2.1.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://commons.apache.org/collections/

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar

Dependency Hierarchy:

• maven-reporting-impl-3.0.0.jar (Root Library)
  • doxia-site-renderer-1.7.4.jar
    • ❌ commons-collections-3.2.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Publish Date: 2015-12-15

URL: CVE-2015-6420

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-6420

Release Date: 2019-04-08

Fix Resolution: 3.2.2,4.1

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14719

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14719

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Publish Date: 2018-01-22

URL: CVE-2018-5968

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968

Release Date: 2018-01-22

Fix Resolution: 2.8.11.1, 2.9.4

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Publish Date: 2019-05-17

URL: CVE-2019-12086

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Release Date: 2019-05-17

Fix Resolution: 2.9.9

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x

Release Date: 2019-09-15

Fix Resolution: 2.9.10

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Vulnerability Details

Security vulnerability found in plexus-utils before 3.0.24. XML injection found in XmlWriterUtil.java.

Publish Date: 2019-09-26

URL: WS-2016-7062

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: codehaus-plexus/plexus-utils@f933e5e

Release Date: 2019-09-26

Fix Resolution: 3.0.24

Vulnerable Library - struts-core-1.3.8.jar

Apache Struts

Library home page: http://struts.apache.org

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.jar

Dependency Hierarchy:

• maven-reporting-impl-3.0.0.jar (Root Library)
  • doxia-site-renderer-1.7.4.jar
    • velocity-tools-2.0.jar
      • ❌ struts-core-1.3.8.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.

Publish Date: 2016-07-04

URL: CVE-2016-1182

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: kawasima/struts1-forever@eda3a79

Release Date: 2016-06-08

Fix Resolution: Replace or update the following file: ActionServlet.java

Vulnerable Libraries - plexus-utils-3.0.10.jar, plexus-utils-3.0.20.jar

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

Plexus-utils before 3.0.24 are vulnerable to Directory Traversal

Publish Date: 2019-05-30

URL: WS-2016-7057

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: codehaus-plexus/plexus-utils@33a2853

Release Date: 2019-05-30

Fix Resolution: 3.0.24

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19360

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

jackson-databind has a Potential information exfiltration with default typing. versions 2.7.9.x < 2.7.9.4, 2.8.x < 2.8.11.2, 2.9.x < 2.9.6

Publish Date: 2018-12-13

URL: CVE-2018-11307

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2032

Release Date: 2019-03-17

Fix Resolution: jackson-databind-2.9.6

Vulnerable Library - jackson-core-2.6.1.jar

Core Jackson abstractions, basic JSON streaming API implementation

Library home page: https://github.com/FasterXML/jackson-core

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: 2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar

Dependency Hierarchy:

• ❌ jackson-core-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

In Jackson Core before version 2.8.6 if the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log. If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.

Publish Date: 2018-06-24

URL: WS-2018-0124

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://issues.jboss.org/browse/JBEAP-6316

Release Date: 2018-01-24

Fix Resolution: 2.8.6

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-10-12

URL: CVE-2019-17531

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531

Release Date: 2019-10-12

Fix Resolution: 2.10

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: 2019-10-07

URL: CVE-2019-17267

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267

Release Date: 2019-10-07

Fix Resolution: 2.9.10

Vulnerable Library - commons-collections-3.2.1.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://commons.apache.org/collections/

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar

Dependency Hierarchy:

• maven-reporting-impl-3.0.0.jar (Root Library)
  • doxia-site-renderer-1.7.4.jar
    • ❌ commons-collections-3.2.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.

Publish Date: 2015-11-18

URL: CVE-2015-4852

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2015/11/17/19

Release Date: 2015-11-18

Fix Resolution: 3.2.2

Vulnerable Library - jackson-core-2.6.1.jar

Core Jackson abstractions, basic JSON streaming API implementation

Library home page: https://github.com/FasterXML/jackson-core

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: 2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar

Dependency Hierarchy:

• ❌ jackson-core-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

OutOfMemoryError when writing BigDecimal In Jackson Core before version 2.7.6.
When enabled the WRITE_BIGDECIMAL_AS_PLAIN setting, Jackson will attempt to write out the whole number, no matter how large the exponent.

Publish Date: 2018-06-24

URL: WS-2018-0125

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-core#315

Release Date: 2018-01-24

Fix Resolution: 2.7.6

Vulnerable Library - commons-codec-1.3.jar

The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-codec/commons-codec/1.3/commons-codec-1.3.jar

Dependency Hierarchy:

• maven-reporting-impl-3.0.0.jar (Root Library)
  • doxia-core-1.7.jar
    • httpclient-4.0.2.jar
      • ❌ commons-codec-1.3.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

Base64 encode() method is no longer thread-safe in Apache Commons Codec before version 1.7, which might disclose the wrong data or allow an attacker to change non-private fields.

Publish Date: 2010-02-26

URL: WS-2010-0001

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/CODEC-96

Release Date: 2017-01-31

Fix Resolution: 1.7

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

Publish Date: 2019-07-30

URL: CVE-2019-14439

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439

Release Date: 2019-07-30

Fix Resolution: 2.9.9.2

Vulnerable Library - guava-18.0.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>

Library home page: http://code.google.com/p/guava-libraries/guava

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar

Dependency Hierarchy:

• maven-core-3.3.3.jar (Root Library)
  • maven-model-builder-3.3.3.jar
    • ❌ guava-18.0.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Publish Date: 2018-04-26

URL: CVE-2018-10237

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237

Release Date: 2018-04-26

Fix Resolution: 24.1.1

Vulnerable Library - httpclient-4.0.2.jar

HttpComponents Client (base module)

Library home page: http://hc.apache.org/httpcomponents-client

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/httpcomponents/httpclient/4.0.2/httpclient-4.0.2.jar

Dependency Hierarchy:

• maven-reporting-impl-3.0.0.jar (Root Library)
  • doxia-core-1.7.jar
    • ❌ httpclient-4.0.2.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.

Publish Date: 2014-09-04

URL: CVE-2012-6153

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6153

Release Date: 2014-09-04

Fix Resolution: 4.2.3

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Publish Date: 2019-09-15

URL: CVE-2019-16335

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x

Release Date: 2019-09-15

Fix Resolution: 2.9.10

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Publish Date: 2018-02-26

URL: CVE-2018-7489

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7489

Release Date: 2018-02-26

Fix Resolution: 2.8.11.1,2.9.5

Vulnerable Library - commons-collections-3.2.1.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://commons.apache.org/collections/

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar

Dependency Hierarchy:

• maven-reporting-impl-3.0.0.jar (Root Library)
  • doxia-site-renderer-1.7.4.jar
    • ❌ commons-collections-3.2.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

Publish Date: 2017-12-11

URL: CVE-2017-15708

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708

Release Date: 2017-12-11

Fix Resolution: Apache Synapse - 3.0.1;Apache Commons Collections - 3.2.2

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Publish Date: 2018-01-10

URL: CVE-2017-17485

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@2235894

Release Date: 2017-12-19

Fix Resolution: Replace or update the following files: SubTypeValidator.java, BeanDeserializerFactory.java

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19361

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14718

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14718

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Vulnerable Library - httpclient-4.0.2.jar

HttpComponents Client (base module)

Library home page: http://hc.apache.org/httpcomponents-client

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/httpcomponents/httpclient/4.0.2/httpclient-4.0.2.jar

Dependency Hierarchy:

• maven-reporting-impl-3.0.0.jar (Root Library)
  • doxia-core-1.7.jar
    • ❌ httpclient-4.0.2.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

Publish Date: 2014-08-21

URL: CVE-2014-3577

CVSS 2 Score Details (5.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3577

Release Date: 2014-08-21

Fix Resolution: 4.3.5,4.0.2

Vulnerable Library - struts-core-1.3.8.jar

Apache Struts

Library home page: http://struts.apache.org

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.jar

Dependency Hierarchy:

• maven-reporting-impl-3.0.0.jar (Root Library)
  • doxia-site-renderer-1.7.4.jar
    • velocity-tools-2.0.jar
      • ❌ struts-core-1.3.8.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.

Publish Date: 2016-07-04

URL: CVE-2015-0899

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0899

Fix Resolution: Upgrade to version Apache Struts 1.2.9 SP2 or greater

Vulnerable Library - dom4j-1.1.jar

null

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/dom4j/dom4j/1.1/dom4j-1.1.jar

Dependency Hierarchy:

• maven-reporting-impl-3.0.0.jar (Root Library)
  • doxia-site-renderer-1.7.4.jar
    • velocity-tools-2.0.jar
      • ❌ dom4j-1.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

Publish Date: 2018-08-20

URL: CVE-2018-1000632

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1000632

Release Date: 2018-08-20

Fix Resolution: 2.1.1

Vulnerable Library - snakeyaml-1.21.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: 2/repository/org/yaml/snakeyaml/1.21/snakeyaml-1.21.jar

Dependency Hierarchy:

• ❌ snakeyaml-1.21.jar (Vulnerable Library)

Vulnerability Details

The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Publish Date: 2019-06-19

URL: CVE-2019-12814

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@5f7c69b

Release Date: 2019-06-14

Fix Resolution: Replace or update the following files: SubTypeValidator.java, VERSION

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12022

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-21

Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Vulnerability Details

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution.

Publish Date: 2019-07-29

URL: CVE-2019-14379

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379

Release Date: 2019-07-29

Fix Resolution: 2.9.9.2

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12023

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-21

Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6

Vulnerable Library - plexus-archiver-2.1.jar

null

Library home page: http://forge.sonatype.com/spice-parent/plexus-archiver/

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/org/codehaus/plexus/plexus-archiver/2.1/plexus-archiver-2.1.jar

Dependency Hierarchy:

• maven-archiver-2.5.jar (Root Library)
  • ❌ plexus-archiver-2.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

Plexus-Archiver prior to version 3.6.0 is vulnerable to path traversal issue in archive extraction.

Publish Date: 2018-06-26

URL: WS-2018-0137

CVSS 2 Score Details (8.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: codehaus-plexus/plexus-archiver@f8f4233

Release Date: 2018-01-26

Fix Resolution: 3.6.0

Vulnerable Library - httpclient-4.0.2.jar

HttpComponents Client (base module)

Library home page: http://hc.apache.org/httpcomponents-client

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/httpcomponents/httpclient/4.0.2/httpclient-4.0.2.jar

Dependency Hierarchy:

• maven-reporting-impl-3.0.0.jar (Root Library)
  • doxia-core-1.7.jar
    • ❌ httpclient-4.0.2.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.

Publish Date: 2011-07-07

URL: CVE-2011-1498

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-1498

Release Date: 2011-07-07

Fix Resolution: 4.1.1

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Publish Date: 2018-02-06

URL: CVE-2017-15095

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15095

Release Date: 2018-02-06

Fix Resolution: 2.8.10,2.9.1

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16943

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16942

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942

Release Date: 2019-10-01

Fix Resolution: 2.10.0.pr1

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14721

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Vulnerable Library - jackson-databind-2.6.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.1/jackson-databind-2.6.1.jar

Dependency Hierarchy:

• jackson-jaxrs-base-2.6.1.jar (Root Library)
  • ❌ jackson-databind-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Publish Date: 2018-02-06

URL: CVE-2017-7525

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-7525

Release Date: 2018-02-06

Fix Resolution: 2.6.7.1,2.7.9.1,2.8.9

Vulnerable Library - commons-collections-3.2.1.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://commons.apache.org/collections/

Path to dependency file: /bw6-plugin-maven/Source/bw6-maven-plugin/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar

Dependency Hierarchy:

• maven-reporting-impl-3.0.0.jar (Root Library)
  • doxia-site-renderer-1.7.4.jar
    • ❌ commons-collections-3.2.1.jar (Vulnerable Library)

Found in HEAD commit: b4a9e5dad5975abb97d8720fc499e007f7e84406

Vulnerability Details

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Publish Date: 2017-11-09

URL: CVE-2015-7501

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7501

Release Date: 2017-12-31

Fix Resolution: Upgrade to version apache-commons-collections 4.1, apache-commons-collections 3.2.2 or greater