This project forked from azure/azure-sdk-for-java
This repository is for active development of the Azure SDK for Java. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/en-us/java/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-java.
License: MIT License
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
Publish Date: 2019-10-07
URL: CVE-2019-17267
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-10-07
Fix Resolution: 2.8.0.rc1
Step up your Open Source Security Game with Mend here
Vulnerable Library - bcprov-jdk15on-1.51.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/bcprov-jdk15on-1.51.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.
Publish Date: 2018-06-04
URL: CVE-2016-1000345
CVSS 3 Score Details (3.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000345
Release Date: 2018-06-04
Fix Resolution: 1.56
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
Publish Date: 2019-09-15
URL: CVE-2019-16335
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-85cw-hj65-qqv9
Release Date: 2019-09-15
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.8.11.5,2.9.10
Step up your Open Source Security Game with Mend here
Vulnerable Library - bcprov-jdk15on-1.51.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/bcprov-jdk15on-1.51.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.
Publish Date: 2018-06-04
URL: CVE-2016-1000343
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000343
Release Date: 2018-06-04
Fix Resolution: 1.56
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
Publish Date: 2019-07-30
URL: CVE-2019-14439
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439
Release Date: 2019-07-30
Fix Resolution: 2.7.9.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - bcprov-jdk15on-1.51.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/bcprov-jdk15on-1.51.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
Publish Date: 2018-06-04
URL: CVE-2016-1000352
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000352
Release Date: 2018-06-04
Fix Resolution: 1.56
Step up your Open Source Security Game with Mend here
Vulnerable Library - retrofit-2.1.0.jarType-safe HTTP client for Android and Java by Square, Inc.
Library home page: http://github.com/square/retrofit/
Path to vulnerable library: azure-sdk-for-java/sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/retrofit-2.1.0.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files from the file system or to perform SSRF.. This vulnerability appears to have been fixed in After commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.
Publish Date: 2018-12-20
URL: CVE-2018-1000844
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000844
Release Date: 2018-12-20
Fix Resolution: com.squareup.retrofit2:retrofit:2.5.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - bcprov-jdk15on-1.51.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/bcprov-jdk15on-1.51.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.
Publish Date: 2018-06-04
URL: CVE-2016-1000340
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000340
Release Date: 2018-06-04
Fix Resolution: 1.56
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Publish Date: 2018-01-22
URL: CVE-2018-5968
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968
Release Date: 2018-01-22
Fix Resolution: 2.7.9.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - nimbus-jose-jwt-3.1.2.jarJava library for Javascript Object Signing and Encryption (JOSE) and JSON Web Tokens (JWT)
Library home page: https://bitbucket.org/connect2id/nimbus-jose-jwt
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/nimbus-jose-jwt-3.1.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.
Publish Date: 2017-08-20
URL: CVE-2017-12974
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12974
Release Date: 2017-08-20
Fix Resolution: 4.36
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-core-2.7.2.jarCore Jackson abstractions, basic JSON streaming API implementation
Library home page: https://github.com/FasterXML/jackson-core
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-core-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
OutOfMemoryError when writing BigDecimal In Jackson Core before version 2.7.7.
When enabled the WRITE_BIGDECIMAL_AS_PLAIN setting, Jackson will attempt to write out the whole number, no matter how large the exponent.
Publish Date: 2016-08-25
URL: WS-2018-0125
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2016-08-25
Fix Resolution: 2.7.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-10-12
URL: CVE-2019-17531
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-gjmw-vf9h-g25v
Release Date: 2019-10-12
Fix Resolution: 2.8.11.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - bcprov-jdk15on-1.51.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/bcprov-jdk15on-1.51.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.
Publish Date: 2018-06-04
URL: CVE-2016-1000346
CVSS 3 Score Details (3.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346
Release Date: 2018-06-04
Fix Resolution: 1.56
Step up your Open Source Security Game with Mend here
Vulnerable Library - bcprov-jdk15on-1.51.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/bcprov-jdk15on-1.51.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
Bouncy Castle in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to obtain sensitive information via a crafted application, aka internal bug 24106146.
Publish Date: 2016-01-06
URL: CVE-2015-6644
CVSS 3 Score Details (3.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-6644
Release Date: 2016-01-06
Fix Resolution: 1.55
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-03-21
URL: CVE-2018-12022
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022
Release Date: 2019-03-21
Fix Resolution: 2.7.9.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - bcprov-jdk15on-1.51.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/bcprov-jdk15on-1.51.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
Publish Date: 2019-10-08
URL: CVE-2019-17359
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359
Release Date: 2019-10-08
Fix Resolution: 1.64
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
Publish Date: 2020-04-07
URL: CVE-2020-11620
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11620
Release Date: 2020-04-07
Fix Resolution: 2.9.10.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-03-21
URL: CVE-2018-12023
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022
Release Date: 2019-03-17
Fix Resolution: 2.7.9.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
Publish Date: 2020-06-14
URL: CVE-2020-14062
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14062
Release Date: 2020-06-14
Fix Resolution: 2.8.0.rc1
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - lodash.template-3.6.2.tgz, lodash-1.0.2.tgz
The modern build of lodashβs `_.template` as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-3.6.2.tgz
Path to dependency file: /sdk/batch/microsoft-azure-batch/package.json
Path to vulnerable library: /sdk/batch/microsoft-azure-batch/node_modules/lodash.template/package.json,/sdk/resourcemanager/node_modules/gulp-util/node_modules/lodash.template/package.json,/eng/mgmt/node_modules/gulp-util/node_modules/lodash.template/package.json
Dependency Hierarchy:
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /sdk/batch/microsoft-azure-batch/package.json
Path to vulnerable library: /sdk/batch/microsoft-azure-batch/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash.template): 4.5.0
Direct dependency fix Resolution (gulp-gh-pages): 0.6.0-1
Fix Resolution (lodash): 4.5.0
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16943
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-fmmc-742q-jg75
Release Date: 2019-10-01
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.8.11.5,2.9.10.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14721
CVSS 3 Score Details (10.0)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721
Release Date: 2019-01-02
Fix Resolution: 2.7.9.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - bootstrap-3.2.0.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js
Path to dependency file: /sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-resource-server-by-filter/src/main/resources/templates/index.html
Path to vulnerable library: /sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-resource-server-by-filter/src/main/resources/templates/index.html
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
Publish Date: 2020-06-14
URL: CVE-2020-14060
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14060
Release Date: 2020-06-14
Fix Resolution: 2.8.0.rc1
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-1.0.2.tgzA utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /sdk/batch/microsoft-azure-batch/package.json
Path to vulnerable library: /sdk/batch/microsoft-azure-batch/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.9
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - bootstrap-4.0.0.min.js, bootstrap-3.2.0.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.0.0/js/bootstrap.min.js
Path to dependency file: /eng/code-quality-reports/target/classes/dependency-allowlist.html
Path to vulnerable library: /eng/code-quality-reports/target/classes/dependency-allowlist.html,/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-resource-server-by-filter-stateless/src/main/resources/static/index.html,/eng/code-quality-reports/src/main/resources/dependency-allowlist.html
Dependency Hierarchy:
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js
Path to dependency file: /sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-resource-server-by-filter/src/main/resources/templates/index.html
Path to vulnerable library: /sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-resource-server-by-filter/src/main/resources/templates/index.html
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
Publish Date: 2020-03-31
URL: CVE-2020-11112
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11112
Release Date: 2020-03-31
Fix Resolution: 2.9.10.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
Publish Date: 2019-05-17
URL: CVE-2019-12086
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086
Release Date: 2019-05-17
Fix Resolution: 2.7.9.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
Publish Date: 2019-09-15
URL: CVE-2019-14540
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540
Release Date: 2019-09-15
Fix Resolution: 2.8.0.rc1
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-collections-2.1.1.jarnull
Path to vulnerable library: azure-sdk-for-java/sdk/resourcemanager/azure-resourcemanager-samples/src/main/resources/coffeeshop/webapps/coffeeshop/WEB-INF/lib/commons-collections-2.1.1.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
Publish Date: 2017-12-11
URL: CVE-2017-15708
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708
Release Date: 2017-12-11
Fix Resolution: org.apache.synapse:Apache-Synapse:3.0.1;commons-collections:commons-collections:3.2.2
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - bcprov-jdk15on-1.51.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/bcprov-jdk15on-1.51.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.
Publish Date: 2018-06-04
URL: CVE-2016-1000341
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000341
Release Date: 2018-06-04
Fix Resolution: 1.56
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-all-4.0.56.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to vulnerable library: /sdk/spring/azure-spring-data-gremlin/package/apache-tinkerpop-gremlin-server-minimal-3.3.4.tar/apache-tinkerpop-gremlin-server-minimal-3.3.4/lib/netty-all-4.0.56.Final.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
Publish Date: 2020-01-27
URL: CVE-2020-7238
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-01-27
Fix Resolution: 4.1.44.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16942
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942
Release Date: 2019-10-01
Fix Resolution: 2.7.9.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - nimbus-jose-jwt-3.1.2.jarJava library for Javascript Object Signing and Encryption (JOSE) and JSON Web Tokens (JWT)
Library home page: https://bitbucket.org/connect2id/nimbus-jose-jwt
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/nimbus-jose-jwt-3.1.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.
Publish Date: 2017-08-20
URL: CVE-2017-12973
CVSS 3 Score Details (3.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12973
Release Date: 2022-10-03
Fix Resolution: 4.39
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
Publish Date: 2020-03-31
URL: CVE-2020-11113
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113
Release Date: 2020-03-31
Fix Resolution: 2.9.10.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - nimbus-jose-jwt-3.1.2.jarJava library for Javascript Object Signing and Encryption (JOSE) and JSON Web Tokens (JWT)
Library home page: https://bitbucket.org/connect2id/nimbus-jose-jwt
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/nimbus-jose-jwt-3.1.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.
Publish Date: 2017-08-20
URL: CVE-2017-12972
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12972
Release Date: 2017-08-20
Fix Resolution: 4.39
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
Publish Date: 2020-03-31
URL: CVE-2020-11111
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113
Release Date: 2020-03-31
Fix Resolution: 2.9.10.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
Publish Date: 2020-06-14
URL: CVE-2020-14061
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14061
Release Date: 2020-06-14
Fix Resolution: 2.8.0.rc1
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-core-2.7.2.jarCore Jackson abstractions, basic JSON streaming API implementation
Library home page: https://github.com/FasterXML/jackson-core
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-core-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
In Jackson Core before version 2.8.6 if the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log. If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.
Publish Date: 2018-06-24
URL: WS-2018-0124
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=WS-2018-0124
Release Date: 2018-01-24
Fix Resolution: 2.8.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
Publish Date: 2019-10-01
URL: CVE-2019-10202
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/08302h5kp2l9ry2zq8vydomlhn0fg4j4
Release Date: 2019-10-01
Fix Resolution: 2.8.0.rc1
Step up your Open Source Security Game with Mend here
Vulnerable Library - bcprov-jdk15on-1.51.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/bcprov-jdk15on-1.51.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
Publish Date: 2018-06-04
URL: CVE-2016-1000344
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000344
Release Date: 2018-06-04
Fix Resolution: 1.56
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
Publish Date: 2019-06-19
URL: CVE-2019-12814
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-06-19
Fix Resolution: 2.7.9.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-codec-1.10.jarLibrary home page: http://archive.apache.org/dist/pulsar/pulsar-2.6.1/apache-pulsar-2.6.1-bin.tar.gz
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/commons-codec-1.10.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
Apache commons-codec before version βcommons-codec-1.13-RC1β is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-05-20
Fix Resolution: commons-codec:commons-codec:1.13
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14720
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-x2w5-5m2g-7h5m
Release Date: 2019-01-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.5,2.8.11.3,2.9.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - bootstrap-3.2.0.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js
Path to dependency file: /sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-resource-server-by-filter/src/main/resources/templates/index.html
Path to vulnerable library: /sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-resource-server-by-filter/src/main/resources/templates/index.html
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - bcprov-jdk15on-1.51.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/bcprov-jdk15on-1.51.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
Publish Date: 2018-06-04
URL: CVE-2016-1000342
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000342
Release Date: 2018-06-04
Fix Resolution: 1.56
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
Publish Date: 2020-02-10
URL: CVE-2020-8840
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-02-10
Fix Resolution: 2.7.9.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - bootstrap-4.0.0.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.0.0/js/bootstrap.min.js
Path to dependency file: /eng/code-quality-reports/target/classes/dependency-allowlist.html
Path to vulnerable library: /eng/code-quality-reports/target/classes/dependency-allowlist.html,/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-resource-server-by-filter-stateless/src/main/resources/static/index.html,/eng/code-quality-reports/src/main/resources/dependency-allowlist.html
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
Publish Date: 2018-07-13
URL: CVE-2018-14041
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:4.1.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.7.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to vulnerable library: /sdk/resourcemanager/azure-resourcemanager-appservice/src/test/resources/appservicemsi/WEB-INF/lib/jackson-databind-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
Publish Date: 2020-04-07
URL: CVE-2020-11619
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11619
Release Date: 2020-04-07
Fix Resolution: 2.8.0.rc1
Step up your Open Source Security Game with Mend here
Vulnerable Library - braces-1.8.5.tgzFastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.
Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz
Path to dependency file: azure-sdk-for-java/eng/mgmt/package.json
Path to vulnerable library: azure-sdk-for-java/eng/mgmt/node_modules/gulp-gh-pages/node_modules/braces/package.json,azure-sdk-for-java/eng/mgmt/node_modules/gulp-gh-pages/node_modules/braces/package.json
Dependency Hierarchy:
Found in HEAD commit: d00274c5406c57214dbd8d18882a072c71e83d85
Found in base branch: master
Vulnerability Details
Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Publish Date: 2018-02-16
URL: WS-2019-0019
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/786
Release Date: 2019-02-21
Fix Resolution: 2.3.1
Step up your Open Source Security Game with WhiteSource here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google β€οΈ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
