This repository is for active development of the Azure SDK for Java. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/en-us/java/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-java.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
Path to vulnerable library: azure-sdk-for-java/sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/retrofit-2.1.0.jar
Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files from the file system or to perform SSRF.. This vulnerability appears to have been fixed in After commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/nimbus-jose-jwt-3.1.2.jar
Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.
OutOfMemoryError when writing BigDecimal In Jackson Core before version 2.7.7.
When enabled the WRITE_BIGDECIMAL_AS_PLAIN setting, Jackson will attempt to write out the whole number, no matter how large the exponent.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Bouncy Castle in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to obtain sensitive information via a crafted application, aka internal bug 24106146.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
Path to dependency file: /sdk/batch/microsoft-azure-batch/package.json
Path to vulnerable library: /sdk/batch/microsoft-azure-batch/node_modules/lodash.template/package.json,/sdk/resourcemanager/node_modules/gulp-util/node_modules/lodash.template/package.json,/eng/mgmt/node_modules/gulp-util/node_modules/lodash.template/package.json
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Path to dependency file: /sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-resource-server-by-filter/src/main/resources/templates/index.html
Path to vulnerable library: /sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-resource-server-by-filter/src/main/resources/templates/index.html
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
Path to dependency file: /eng/code-quality-reports/target/classes/dependency-allowlist.html
Path to vulnerable library: /eng/code-quality-reports/target/classes/dependency-allowlist.html,/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-resource-server-by-filter-stateless/src/main/resources/static/index.html,/eng/code-quality-reports/src/main/resources/dependency-allowlist.html
Dependency Hierarchy:
β bootstrap-4.0.0.min.js (Vulnerable Library)
bootstrap-3.2.0.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Path to dependency file: /sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-resource-server-by-filter/src/main/resources/templates/index.html
Path to vulnerable library: /sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-resource-server-by-filter/src/main/resources/templates/index.html
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Path to vulnerable library: azure-sdk-for-java/sdk/resourcemanager/azure-resourcemanager-samples/src/main/resources/coffeeshop/webapps/coffeeshop/WEB-INF/lib/commons-collections-2.1.1.jar
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Path to vulnerable library: /sdk/spring/azure-spring-data-gremlin/package/apache-tinkerpop-gremlin-server-minimal-3.3.4.tar/apache-tinkerpop-gremlin-server-minimal-3.3.4/lib/netty-all-4.0.56.Final.jar
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/nimbus-jose-jwt-3.1.2.jar
Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/nimbus-jose-jwt-3.1.2.jar
In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
In Jackson Core before version 2.8.6 if the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log. If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Path to dependency file: /sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-resource-server-by-filter/src/main/resources/templates/index.html
Path to vulnerable library: /sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-resource-server-by-filter/src/main/resources/templates/index.html
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
Path to dependency file: /eng/code-quality-reports/target/classes/dependency-allowlist.html
Path to vulnerable library: /eng/code-quality-reports/target/classes/dependency-allowlist.html,/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-resource-server-by-filter-stateless/src/main/resources/static/index.html,/eng/code-quality-reports/src/main/resources/dependency-allowlist.html
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
Path to dependency file: azure-sdk-for-java/eng/mgmt/package.json
Path to vulnerable library: azure-sdk-for-java/eng/mgmt/node_modules/gulp-gh-pages/node_modules/braces/package.json,azure-sdk-for-java/eng/mgmt/node_modules/gulp-gh-pages/node_modules/braces/package.json
Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.