yoswein / 789 Goto Github PK

Vulnerable Libraries - jetty-http-9.4.8.v20171121.jar, jetty-server-9.4.8.v20171121.jar

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Vulnerability Details

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Publish Date: 2018-06-26

URL: CVE-2017-7656

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667

Release Date: 2018-06-26

Fix Resolution: org.eclipse.jetty:jetty-server:9.2.25.v20180606,9.3.24.v20180605,9.4.11.v20180605;org.eclipse.jetty:jetty-http:9.2.25.v20180606.,9.3.24.v20180605,9.4.11.v20180605

Vulnerable Libraries - jetty-http-9.4.8.v20171121.jar, jetty-server-9.4.8.v20171121.jar

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Vulnerability Details

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Publish Date: 2018-06-26

URL: CVE-2017-7658

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658

Release Date: 2018-06-26

Fix Resolution: org.eclipse.jetty:jetty-server:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606;org.eclipse.jetty.aggregate:jetty-client:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606;org.eclipse.jetty:jetty-http:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Publish Date: 2019-09-15

URL: CVE-2019-16335

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x

Release Date: 2020-10-20

Fix Resolution: 2.9.10

Vulnerable Libraries - gopkg.in/yaml.v2-cd8b52f8269e0feb286dfeef29f8fe4d5b397e0b, gopkg.in/yaml.v2-670d4cfef0544295bc27a114dbac37980d83185a, gopkg.in/yaml.v2-d670f9405373e636a5a2765eea47fac0c9bc91a4

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerability Details

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

Publish Date: 2020-04-01

URL: CVE-2019-11254

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/go-yaml/yaml/tree/v2.2.8

Release Date: 2020-04-01

Fix Resolution: v2.2.8

Vulnerability Details

An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.

Publish Date: 2019-03-13

URL: CVE-2019-9741

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-9741

Release Date: 2019-03-13

Fix Resolution: 1.12.1

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

Publish Date: 2021-01-06

URL: CVE-2020-36188

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2996

Release Date: 2021-01-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721

Release Date: 2019-01-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.7,2.8.11.3,2.7.9.5,2.6.7.3

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-10-12

URL: CVE-2019-17531

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531

Release Date: 2019-10-12

Fix Resolution: 2.10

Vulnerable Library - gogo1.12.6

The Go programming language

Library home page: https://github.com/golang/go.git

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerable Source Files (1)

canner/goroot/src/cmd/go/internal/work/security.go

Vulnerability Details

Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection.

Publish Date: 2020-11-18

URL: CVE-2020-28367

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM

Release Date: 2020-11-18

Fix Resolution: 1.14.12, 1.15.5

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Publish Date: 2019-05-17

URL: CVE-2019-12086

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Release Date: 2019-05-17

Fix Resolution: 2.9.9

Vulnerable Library - XX-Net4.2.0

a web proxy tool

Library home page: https://github.com/XX-net/XX-Net.git

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerable Source Files (1)

canner/.poetry/lib/poetry/_vendor/py2.7/cryptography/hazmat/backends/openssl/ciphers.py

Vulnerability Details

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

Publish Date: 2021-02-07

URL: CVE-2020-36242

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst

Release Date: 2021-02-07

Fix Resolution: cryptography - 3.3.2

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

Publish Date: 2020-03-26

URL: CVE-2020-10968

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-10968

Release Date: 2020-03-26

Fix Resolution: jackson-databind-2.9.10.4

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12022

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-21

Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6

Vulnerable Library - gogo1.12.6

The Go programming language

Library home page: https://github.com/golang/go.git

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerable Source Files (1)

canner/goroot/src/cmd/go/internal/work/security.go

Vulnerability Details

Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection.

Publish Date: 2020-11-18

URL: CVE-2020-28366

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM

Release Date: 2020-11-18

Fix Resolution: 1.14.12, 1.15.5

Vulnerable Library - https://source.codeaurora.org/external/qoriq/qoriq-yocto-sdk/gcc/basepoints/gcc-11

GNU Compiler Collection (GCC)

Library home page: https://source.codeaurora.org/external/qoriq/qoriq-yocto-sdk/gcc/

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerable Source Files (3)

canner/goroot/src/net/http/fcgi/child.go
canner/goroot/src/net/http/fcgi/child.go
canner/goroot/src/net/http/fcgi/child.go

Vulnerability Details

Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.

Publish Date: 2020-09-02

URL: CVE-2020-24553

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs

Release Date: 2020-08-21

Fix Resolution: 1.15.1,1.14.8

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: 2019-10-07

URL: CVE-2019-17267

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2460

Release Date: 2019-10-07

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10

Vulnerable Libraries - jetty-http-9.4.8.v20171121.jar, jetty-server-9.4.8.v20171121.jar

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Vulnerability Details

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Publish Date: 2018-06-26

URL: CVE-2017-7657

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668

Release Date: 2018-06-26

Fix Resolution: org.eclipse.jetty:jetty-server:9.3.24.v20180605,9.4.11.v20180605;org.eclipse.jetty:jetty-http:9.3.24.v20180605,9.4.11.v20180605

Vulnerable Library - gogo1.12.6

The Go programming language

Library home page: https://github.com/golang/go.git

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerable Source Files (2)

canner/goroot/src/net/http/h2_bundle.go
canner/goroot/src/net/http/h2_bundle.go

Vulnerability Details

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Publish Date: 2019-08-13

URL: CVE-2019-9512

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512

Release Date: 2019-08-13

Fix Resolution: io.netty:netty-codec-http2:4.1.39.Final

Vulnerable Library - https://source.codeaurora.org/external/ubicom/ubi32-gcc/releases/gcc-10.2.0

Library home page: https://source.codeaurora.org/external/ubicom/ubi32-gcc/

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerable Source Files (2)

canner/goroot/src/encoding/xml/xml.go
canner/goroot/src/encoding/xml/xml.go

Vulnerability Details

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.

Publish Date: 2021-03-11

URL: CVE-2021-27918

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw

Release Date: 2021-03-11

Fix Resolution: 1.15.9, 1.16.1

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Publish Date: 2018-02-06

URL: CVE-2017-15095

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15095

Release Date: 2018-02-06

Fix Resolution: 2.8.10,2.9.1

Vulnerable Library - https://source.codeaurora.org/external/ubicom/ubi32-gcc/releases/gcc-10.2.0

Library home page: https://source.codeaurora.org/external/ubicom/ubi32-gcc/

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerable Source Files (4)

canner/goroot/src/crypto/x509/verify.go
canner/goroot/src/crypto/x509/verify.go
canner/goroot/src/crypto/x509/root_windows.go
canner/goroot/src/crypto/x509/root_windows.go

Vulnerability Details

In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.

Publish Date: 2020-07-17

URL: CVE-2020-14039

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14039

Release Date: 2020-07-17

Fix Resolution: 1.13.13,1.14.5

Vulnerable Library - gogsv0.11.4

Gogs is a painless self-hosted Git service

Library home page: https://github.com/gogs/gogs.git

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerable Source Files (2)

canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go
canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go

Vulnerability Details

In all versions of the package github.com/unknwon/cae/tz, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.

Publish Date: 2020-06-23

URL: CVE-2020-7668

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-7668

Release Date: 2020-07-07

Fix Resolution: v1.0.1

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

Publish Date: 2020-03-26

URL: CVE-2020-10969

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10969

Release Date: 2020-03-26

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.6;com.fasterxml.jackson.core:jackson-databind:2.7.9.7

Vulnerable Library - XX-Net4.2.0

a web proxy tool

Library home page: https://github.com/XX-net/XX-Net.git

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerable Source Files (2)

canner/.poetry/lib/poetry/_vendor/py3.6/cryptography/hazmat/backends/openssl/rsa.py
canner/.poetry/lib/poetry/_vendor/py3.6/cryptography/hazmat/backends/openssl/rsa.py

Vulnerability Details

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.

Publish Date: 2021-01-11

URL: CVE-2020-25659

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-hggm-jpg3-v476

Release Date: 2020-09-17

Fix Resolution: 3.2

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

Publish Date: 2019-07-30

URL: CVE-2019-14439

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439

Release Date: 2019-07-30

Fix Resolution: 2.9.9.2

Vulnerable Library - https://source.codeaurora.org/external/qoriq/qoriq-yocto-sdk/gcc/basepoints/gcc-11

GNU Compiler Collection (GCC)

Library home page: https://source.codeaurora.org/external/qoriq/qoriq-yocto-sdk/gcc/

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerable Source Files (2)

canner/goroot/src/math/big/nat.go
canner/goroot/src/math/big/nat.go

Vulnerability Details

Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.

Publish Date: 2020-11-18

URL: CVE-2020-28362

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMI

Release Date: 2020-11-18

Fix Resolution: 1.14.12, 1.15.5

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12023

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-21

Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

Publish Date: 2020-04-07

URL: CVE-2020-11620

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11620

Release Date: 2020-04-07

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.4

Vulnerable Library - https://source.codeaurora.org/quic/lc/aosp/toolchain/gcc/ndk-r11

Library home page: https://source.codeaurora.org/quic/lc/aosp/toolchain/gcc/

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerable Source Files (4)

canner/goroot/src/encoding/binary/varint.go
canner/goroot/src/encoding/binary/varint.go
canner/goroot/src/encoding/binary/varint.go
canner/goroot/src/encoding/binary/varint.go

Vulnerability Details

Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

Publish Date: 2020-08-06

URL: CVE-2020-16845

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/golang/go/tree/go1.14.7

Release Date: 2020-08-05

Fix Resolution: go1.13.15,go1.14.7

Vulnerable Library - https://source.codeaurora.org/external/ubicom/ubi32-gcc/releases/gcc-10.2.0

Library home page: https://source.codeaurora.org/external/ubicom/ubi32-gcc/

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerable Source Files (1)

canner/goroot/src/crypto/dsa/dsa.go

Vulnerability Details

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.

Publish Date: 2019-10-24

URL: CVE-2019-17596

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17596

Release Date: 2019-10-24

Fix Resolution: Go-1.12.11,1.13.2

Vulnerable Library - gogo1.12.6

The Go programming language

Library home page: https://github.com/golang/go.git

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerable Source Files (2)

canner/goroot/src/net/http/h2_bundle.go
canner/goroot/src/net/http/h2_bundle.go

Vulnerability Details

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

Publish Date: 2019-08-13

URL: CVE-2019-9514

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514

Release Date: 2019-08-13

Fix Resolution: 7.1.7,8.0.4

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-07

URL: CVE-2020-36180

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#3004

Release Date: 2021-01-07

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

Vulnerable Library - gogo1.12.6

The Go programming language

Library home page: https://github.com/golang/go.git

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerable Source Files (2)

canner/goroot/src/cmd/go/internal/work/action.go
canner/goroot/src/cmd/go/internal/work/action.go

Vulnerability Details

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).

Publish Date: 2021-01-26

URL: CVE-2021-3115

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2021-3115

Release Date: 2021-01-11

Fix Resolution: go1.14.14,go1.15.7

Vulnerable Library - https://source.codeaurora.org/external/ubicom/ubi32-gcc/releases/gcc-10.2.0

Library home page: https://source.codeaurora.org/external/ubicom/ubi32-gcc/

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerability Details

A security issue has been found in Go. Due to a pre-allocation optimization in zip.NewReader, a malformed archive which indicates it has a significant number of files can cause either a panic or memory exhaustion.

Publish Date: 2021-05-20

URL: CVE-2021-33196

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

Publish Date: 2020-04-07

URL: CVE-2020-11619

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11619

Release Date: 2020-04-07

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.4

Vulnerable Library - https://source.codeaurora.org/external/ubicom/ubi32-gcc/releases/gcc-10.2.0

Library home page: https://source.codeaurora.org/external/ubicom/ubi32-gcc/

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerable Source Files (2)

canner/goroot/src/crypto/elliptic/p224.go
canner/goroot/src/crypto/elliptic/p224.go

Vulnerability Details

In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.

Publish Date: 2021-01-26

URL: CVE-2021-3114

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1918750

Release Date: 2021-01-11

Fix Resolution: go1.14.14, go1.15.7

Vulnerable Library - https://source.codeaurora.org/external/qoriq/qoriq-yocto-sdk/gcc/basepoints/gcc-11

GNU Compiler Collection (GCC)

Library home page: https://source.codeaurora.org/external/qoriq/qoriq-yocto-sdk/gcc/

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerability Details

Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.

Publish Date: 2019-09-30

URL: CVE-2019-16276

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16276

Release Date: 2019-09-30

Fix Resolution: 1.12.10;1.13.1

Vulnerable Library - gogo1.12.6

The Go programming language

Library home page: https://github.com/golang/go.git

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerability Details

Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.

Publish Date: 2020-07-17

URL: CVE-2020-15586

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15586

Release Date: 2020-07-17

Fix Resolution: 1.13.13,1.14.5

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Publish Date: 2019-06-19

URL: CVE-2019-12814

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2341

Release Date: 2019-06-19

Fix Resolution: 2.7.9.6, 2.8.11.4, 2.9.9.1, 2.10.0

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

Publish Date: 2021-01-07

URL: CVE-2020-36183

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#3003

Release Date: 2021-01-07

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Publish Date: 2018-02-06

URL: CVE-2017-7525

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525

Release Date: 2018-02-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.1,2.7.9.1,2.8.9

Vulnerable Library - https://source.codeaurora.org/quic/lc/external/github.com/python/cpython/v3.10.0a5

Library home page: https://source.codeaurora.org/quic/lc/external/github.com/python/cpython/

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerable Source Files (2)

canner/.poetry/lib/poetry/_vendor/py3.8/urllib3/connection.py
canner/.poetry/lib/poetry/_vendor/py3.8/urllib3/connection.py

Vulnerability Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Publish Date: 2020-09-30

URL: CVE-2020-26137

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137

Release Date: 2020-09-30

Fix Resolution: 1.25.9

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-06

URL: CVE-2020-36181

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#3004

Release Date: 2021-01-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

Vulnerable Library - gogsv0.11.4

Gogs is a painless self-hosted Git service

Library home page: https://github.com/gogs/gogs.git

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerable Source Files (2)

canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go
canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go

Vulnerability Details

In all versions of the package github.com/unknwon/cae/zip, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.

Publish Date: 2020-06-23

URL: CVE-2020-7664

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-7664

Release Date: 2020-07-07

Fix Resolution: v1.0.1

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

Publish Date: 2021-01-06

URL: CVE-2020-36189

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2996

Release Date: 2021-01-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

Vulnerable Libraries - pip-19.1.1-py2.py3-none-any.whl, pip-19.3.1-py2.py3-none-any.whl

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerability Details

** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.

Publish Date: 2020-05-08

URL: CVE-2018-20225

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - pip-19.1.1-py2.py3-none-any.whl

The PyPA recommended tool for installing Python packages.

Library home page: https://files.pythonhosted.org/packages/5c/e0/be401c003291b56efc55aeba6a80ab790d3d4cece2778288d65323009420/pip-19.1.1-py2.py3-none-any.whl

Path to vulnerable library: canner/.poetry/lib/poetry/_vendor/py2.7/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl

Dependency Hierarchy:

• ❌ pip-19.1.1-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28

Found in base branch: master

Vulnerability Details

The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.

Publish Date: 2020-09-04

URL: CVE-2019-20916

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20916

Release Date: 2020-09-04

Fix Resolution: 19.2

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

Publish Date: 2019-07-09

URL: CVE-2018-11307

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2032

Release Date: 2019-03-17

Fix Resolution: jackson-databind-2.9.6

Vulnerable Library - jackson-databind-2.8.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: 789/rename/pom.xml

Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.8.8.jar (Vulnerable Library)

Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540

Release Date: 2019-09-15

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10,2.10.0.pr3,2.11.0.rc1