Scribd
Upload
130 views10 pages

Docker Linux-Latest Security Export

This document contains a summary of 20 vulnerabilities found in various components. The vulnerabilities include issues that allow execution of arbitrary code, XML entity expansion attacks, and polymorphic typing issues that could allow execution of malicious payloads. Many of the vulnerabilities are in FasterXML jackson-databind versions before 2.9.10 and affect how object serialization and polymorphic typing are handled. Components like BusyBox, XMLBeans, various database connection pools, and Hadoop are also affected by issues discovered.

Uploaded by

Lap Ngo Doan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
130 views10 pages

Docker Linux-Latest Security Export

This document contains a summary of 20 vulnerabilities found in various components. The vulnerabilities include issues that allow execution of arbitrary code, XML entity expansion attacks, and polymorphic typing issues that could allow execution of malicious payloads. Many of the vulnerabilities are in FasterXML jackson-databind versions before 2.9.10 and affect how object serialization and polymorphic typing are handled. Components like BusyBox, XMLBeans, various database connection pools, and Hadoop are also affected by issues discovered.

Uploaded by

Lap Ngo Doan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Security Export

Wed Apr 20, 2022


Exported by: admin
Package type: Docker
Component name: linux:latest

Summary CVEs Severity Component Physical Paths Component Infected Version Fix Version Edited
BusyBox through 1.35.0 allows remote CVE-2022-28391 Critical 3.15:ssl_client <= 1.34.1-r4 1.34.1-r5 2022-04-20T07:47:3
attackers to execute arbitrary code if netstat is 8Z
used to print a DNS PTR record's value to a
VT compatible terminal. Alternatively, the
attacker could choose to change the terminal's
colors.
A Polymorphic Typing issue was discovered in CVE-2019-16942 Critical sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.3,2.10.0 <= Version < 2.6.7.3,2.7.9.7,2.8.1 2022-04-20T07:46:2
FasterXML jackson-databind 2.0.0 through 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.10.1,2.7.0 <= Version < 1.5,2.9.10.1 9Z
2.9.10. When Default Typing is enabled (either pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.7.9.7,2.9.0 <= Version < 2.9.10.1
globally or for a specific property) for an 02181132.jar/lib/jackson-databind-2.9.9.3.jar
externally exposed JSON endpoint and the
service has the commons-dbcp (1.4) jar in the
classpath, and an attacker can find an RMI
service endpoint to access, it is possible to
make the service execute a malicious payload.
This issue exists because of
org.apache.commons.dbcp.datasources.Shared
PoolDataSource and
org.apache.commons.dbcp.datasources.PerUser
PoolDataSource mishandling.

Page 1
Summary CVEs Severity Component Physical Paths Component Infected Version Fix Version Edited
A flaw was discovered in FasterXML CVE-2019-14893 Critical sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.3,2.7.0-rc1 <= Version <= 2.6.7.3,2.7.9.7,2.8.1 2022-04-20T07:46:3
jackson-databind in all versions before 2.9.10 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.7.9.6,2.8.0.rc1 <= Version < 1.5,2.9.10 8Z
and 2.10.0, where it would permit polymorphic pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.8.11.5,2.9.0.pr1 <= Version <
deserialization of malicious objects using the 02181132.jar/lib/jackson-databind-2.9.9.3.jar 2.9.10
xalan JNDI gadget when used in conjunction
with polymorphic type handling methods such
as `enableDefaultTyping()` or when
@JsonTypeInfo is using `Id.CLASS` or
`Id.MINIMAL_CLASS` or in any other way
which ObjectMapper.readValue might
instantiate objects from unsafe sources. An
attacker could use this flaw to execute arbitrary
code.
FasterXML jackson-databind 2.x before CVE-2020-9546 Critical sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: <= 2.7.9.6,2.8.0 <= Version <= 2.7.9.7,2.8.11.6,2.9. 2022-04-20T07:46:3
2.9.10.4 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.8.11.5,2.9.0.pr1 <= Version <= 10.4 8Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.9.10.3
org.apache.hadoop.shaded.com.zaxxer.hikari.H 02181132.jar/lib/jackson-databind-2.9.9.3.jar
ikariConfig (aka shaded hikari-config).
A Polymorphic Typing issue was discovered in CVE-2019-16943 Critical sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.3,2.7.0-rc1 <= Version < 2.6.7.3,2.7.9.7,2.8.1 2022-04-20T07:46:2
FasterXML jackson-databind 2.0.0 through 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.7.9.7,2.8.0.rc1 <= Version < 1.5,2.9.10.1 9Z
2.9.10. When Default Typing is enabled (either pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.8.11.5,2.9.0.pr1 <= Version <
globally or for a specific property) for an 02181132.jar/lib/jackson-databind-2.9.9.3.jar 2.9.10.1
externally exposed JSON endpoint and the
service has the p6spy (3.8.6) jar in the
classpath, and an attacker can find an RMI
service endpoint to access, it is possible to
make the service execute a malicious payload.
This issue exists because of
com.p6spy.engine.spy.P6DataSource
mishandling.
The XML parsers used by XMLBeans up to CVE-2021-23926 Critical sha256__48a661b26dd00be123245256854705936 xmlbeans:xbean < 3.0.0 3.0.0 2022-04-20T07:47:2
version 2.6.0 did not set the properties needed 0625893f9668741c7886d92194f6bb7.tar.gz/works 0Z
to protect the user from malicious XML input. pace/bin/quartus/sopc_builder/model/lib/xbean.jar
Vulnerabilities include possibilities for XML
Entity Expansion attacks. Affects XMLBeans
up to and including v2.6.0.
A Polymorphic Typing issue was discovered in CVE-2019-17267 Critical sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.3,2.7.0-rc1 <= Version <= 2.10.0,2.6.7.3,2.8.1 2022-04-20T07:46:3
FasterXML jackson-databind before 2.9.10. It 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.7.9.7,2.8.0 <= Version < 1.5,2.9.10 1Z
is related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.8.11.5,2.9.0 <= Version < 2.9.10
net.sf.ehcache.hibernate.EhcacheJtaTransactio 02181132.jar/lib/jackson-databind-2.9.9.3.jar
nManagerLookup.
A Polymorphic Typing issue was discovered in CVE-2019-14540 Critical sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.3,2.7.0 <= Version < 2.6.7.3,2.7.9.7,2.8.1 2022-04-20T07:46:2
FasterXML jackson-databind before 2.9.10. It 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.7.9.7,2.8.0 <= Version < 1.5,2.9.10 9Z
is related to com.zaxxer.hikari.HikariConfig. pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.8.11.5,2.9.0 <= Version < 2.9.10
02181132.jar/lib/jackson-databind-2.9.9.3.jar

Page 2
Summary CVEs Severity Component Physical Paths Component Infected Version Fix Version Edited
A Polymorphic Typing issue was discovered in CVE-2019-16335 Critical sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.3,2.7.0-rc1 <= Version <= 2.6.7.3,2.7.9.7,2.8.1 2022-04-20T07:46:2
FasterXML jackson-databind before 2.9.10. It 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.7.9.6,2.8.0.rc1 <= Version <= 1.5,2.9.10 9Z
is related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.8.11.4,2.9.0 <= Version <=
com.zaxxer.hikari.HikariDataSource. This is a 02181132.jar/lib/jackson-databind-2.9.9.3.jar 2.9.9.3
different vulnerability than CVE-2019-14540.
FasterXML jackson-databind 2.x before CVE-2020-9548 Critical sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: <= 2.7.9.6,2.8.0 <= Version <= 2.7.9.7,2.8.11.6,2.9. 2022-04-20T07:46:3
2.9.10.4 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.8.11.5,2.9.0.pr1 <= Version <= 10.4 8Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.9.10.3
br.com.anteros.dbcp.AnterosDBCPConfig (aka 02181132.jar/lib/jackson-databind-2.9.9.3.jar
anteros-core).
FasterXML jackson-databind 2.x before CVE-2020-9547 Critical sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: <= 2.7.9.6,2.8.0 <= Version <= 2.7.9.7,2.8.11.6,2.9. 2022-04-20T07:46:3
2.9.10.4 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.8.11.5,2.9.0.pr1 <= Version <= 10.4 8Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.9.10.3
com.ibatis.sqlmap.engine.transaction.jta.JtaTra 02181132.jar/lib/jackson-databind-2.9.9.3.jar
nsactionConfig (aka ibatis-sqlmap).
A flaw was discovered in jackson-databind in CVE-2019-14892 Critical sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.3,2.7.0-rc1 <= Version <= 2.6.7.3,2.7.9.7,2.8.1 2022-04-20T07:46:3
versions before 2.9.10, 2.8.11.5 and 2.6.7.3, 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.7.9.6,2.8.0.rc1 <= Version < 1.5,2.9.10 8Z
where it would permit polymorphic pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.8.11.5,2.9.0.pr1 <= Version <
deserialization of a malicious object using 02181132.jar/lib/jackson-databind-2.9.9.3.jar 2.9.10
commons-configuration 1 and 2 JNDI classes.
An attacker could use this flaw to execute
arbitrary code.
A Polymorphic Typing issue was discovered in CVE-2019-17531 Critical sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.3,2.7.0-rc1 <= Version <= 2.6.7.3,2.7.9.7,2.8.1 2022-04-20T07:46:2
FasterXML jackson-databind 2.0.0 through 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.7.9.6,2.8.0.rc1 <= Version <= 1.5,2.9.10.1 9Z
2.9.10. When Default Typing is enabled (either pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.8.11.4,2.9.0.pr1 <= Version <=
globally or for a specific property) for an 02181132.jar/lib/jackson-databind-2.9.9.3.jar 2.9.10
externally exposed JSON endpoint and the
service has the apache-log4j-extra (version
1.2.x) jar in the classpath, and an attacker can
provide a JNDI service to access, it is possible
to make the service execute a malicious
payload.
FasterXML jackson-databind 2.x before CVE-2019-20330 Critical sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: <= 2.7.9.6,2.8.0.rc1 <= Version <= 2.7.9.7,2.8.11.5,2.9. 2022-04-20T07:46:3
2.9.10.2 lacks certain net.sf.ehcache blocking. 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.8.11.4,2.9.0.pr1 <= Version < 10.2 1Z
pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.9.10.2
02181132.jar/lib/jackson-databind-2.9.9.3.jar
FasterXML jackson-databind 2.0.0 through CVE-2020-8840 Critical sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.7.9.7,2.8.0.rc1 <= Version < 2.7.9.7,2.8.11.5,2.9. 2022-04-20T07:46:3
2.9.10.2 lacks certain xbean-reflect/JNDI 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.8.11.5,2.9.0.pr1 <= Version < 10.3 6Z
blocking, as demonstrated by pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.9.10.3
org.apache.xbean.propertyeditor.JndiConverter 02181132.jar/lib/jackson-databind-2.9.9.3.jar
.

Page 3
Summary CVEs Severity Component Physical Paths Component Infected Version Fix Version Edited
BusyBox through 1.35.0 allows remote CVE-2022-28391 Critical 3.15:busybox < 1.34.1-r5 1.34.1-r5 2022-04-20T07:47:3
attackers to execute arbitrary code if netstat is 8Z
used to print a DNS PTR record's value to a
VT compatible terminal. Alternatively, the
attacker could choose to change the terminal's
colors.
A flaw was found in FasterXML Jackson CVE-2020-25649 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.4,2.10.0.pr1 <= Version < 2.10.5.1,2.11.0.rc1, 2022-04-20T07:47:0
Databind, where it did not have entity 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.10.5.1,2.9.0.pr1 <= Version < 2.6.7.4,2.9.10.7 5Z
expansion secured properly. This flaw allows pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.9.10.7
vulnerability to XML external entity (XXE) 02181132.jar/lib/jackson-databind-2.9.9.3.jar
attacks. The highest threat from this
vulnerability is data integrity.
FasterXML jackson-databind Multiple Gadget High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.4,2.7.0 <= Version < 2.6.7.4,2.9.10.4 2022-04-20T07:46:0
Insecure Deserialization Unspecified Remote 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.4 6Z
Weakness pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
02181132.jar/lib/jackson-databind-2.9.9.3.jar
FasterXML jackson-databind 2.x before CVE-2020-10673 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.4,2.7.0-rc1 <= Version <= 2.6.7.4,2.9.10.4 2022-04-20T07:46:3
2.9.10.4 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.7.9.7,2.8.0 <= Version <= 3Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.8.11.6,2.9.0.pr1 <= Version <=
com.caucho.config.types.ResourceRef (aka 02181132.jar/lib/jackson-databind-2.9.9.3.jar 2.9.10.3
caucho-quercus).
FasterXML jackson-databind 2.x before CVE-2020-10968 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.4,2.7.0 <= Version < 2.6.7.4,2.9.10.4 2022-04-20T07:46:3
2.9.10.4 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.4 3Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
org.aoju.bus.proxy.provider.remoting.RmiProv 02181132.jar/lib/jackson-databind-2.9.9.3.jar
ider (aka bus-proxy).
jsoup is a Java library for working with HTML. CVE-2021-37714 High sha256__48a661b26dd00be123245256854705936 org.jsoup:jsoup < 1.14.2 1.14.2 2022-04-20T07:47:2
Those using jsoup versions prior to 1.14.2 to 0625893f9668741c7886d92194f6bb7.tar.gz/works 8Z
parse untrusted HTML or XML may be pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
vulnerable to DOS attacks. If the parser is run 02181132.jar/lib/org.jsoup_1.7.2.v201411291515.j
on user supplied input, an attacker may supply ar/META-INF/maven/org.jsoup/jsoup/pom.xml
content that causes the parser to get stuck (loop
indefinitely until cancelled), to complete more
slowly than usual, or to throw an unexpected
exception. This effect may support a denial of
service attack. The issue is patched in version
1.14.2. There are a few available workarounds.
Users may rate limit input parsing, limit the
size of inputs based on system resources,
and/or implement thread watchdogs to cap and
timeout parse runtimes.

Page 4
Summary CVEs Severity Component Physical Paths Component Infected Version Fix Version Edited
jsoup parser/CharacterReader.java Multiple High sha256__48a661b26dd00be123245256854705936 org.jsoup:jsoup < 1.9.2 1.9.2 2022-04-20T07:46:0
Functions Tag Parsing Non-ascii Character 0625893f9668741c7886d92194f6bb7.tar.gz/works 2Z
Handling Infinite Loop DoS pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
02181132.jar/lib/org.jsoup_1.7.2.v201411291515.j
ar/META-INF/maven/org.jsoup/jsoup/pom.xml
FasterXML jackson-databind 2.x before CVE-2020-10969 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.4,2.7.0 <= Version <= 2.6.7.4,2.7.9.7,2.8.1 2022-04-20T07:46:3
2.9.10.4 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.7.9.6,2.8.0 <= Version <= 1.6,2.9.10.4 3Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.8.11.5,2.9.0.pr1 <= Version <=
javax.swing.JEditorPane. 02181132.jar/lib/jackson-databind-2.9.9.3.jar 2.9.10.3
FasterXML jackson-databind 2.x before CVE-2020-36181 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.5,2.7.0 <= Version < 2.6.7.5,2.9.10.8 2022-04-20T07:47:1
2.9.10.8 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.8 9Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
org.apache.tomcat.dbcp.dbcp.cpdsadapter.Driv 02181132.jar/lib/jackson-databind-2.9.9.3.jar
erAdapterCPDS.
FasterXML jackson-databind 2.x before CVE-2020-36188 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.5,2.7.0 <= Version < 2.6.7.5,2.9.10.8 2022-04-20T07:47:1
2.9.10.8 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.8 9Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
com.newrelic.agent.deps.ch.qos.logback.core.d 02181132.jar/lib/jackson-databind-2.9.9.3.jar
b.JNDIConnectionSource.
FasterXML jackson-databind 2.x before CVE-2020-14060 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.4,2.7.0 <= Version < 2.6.7.4,2.9.10.5 2022-04-20T07:46:4
2.9.10.5 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.5 7Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
oadd.org.apache.xalan.lib.sql.JNDIConnection 02181132.jar/lib/jackson-databind-2.9.9.3.jar
Pool (aka apache/drill).
FasterXML jackson-databind 2.x before CVE-2020-11113 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: 2.0.0 <= Version < 2.9.10.4 2.9.10.4 2022-04-20T07:46:3
2.9.10.4 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 8Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
org.apache.openjpa.ee.WASRegistryManaged 02181132.jar/lib/jackson-databind-2.9.9.3.jar
Runtime (aka openjpa).
FasterXML jackson-databind 2.x before CVE-2020-35728 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.5,2.7.0 <= Version < 2.6.7.5,2.9.10.8 2022-04-20T07:47:1
2.9.10.8 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.8 7Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
com.oracle.wls.shaded.org.apache.xalan.lib.sql. 02181132.jar/lib/jackson-databind-2.9.9.3.jar
JNDIConnectionPool (aka embedded Xalan in
org.glassfish.web/javax.servlet.jsp.jstl).
FasterXML jackson-databind 2.x before CVE-2020-10672 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.4,2.7.0-rc1 <= Version <= 2.6.7.4,2.9.10.4 2022-04-20T07:46:3
2.9.10.4 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.7.9.7,2.8.0 <= Version <= 3Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.8.11.6,2.9.0.p1 <= Version <=
org.apache.aries.transaction.jms.internal.XaPo 02181132.jar/lib/jackson-databind-2.9.9.3.jar 2.9.10.3
oledConnectionFactory (aka
aries.transaction.jms).

Page 5
Summary CVEs Severity Component Physical Paths Component Infected Version Fix Version Edited
FasterXML jackson-databind 2.x before CVE-2020-11111 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.9.10.4 2.9.10.4 2022-04-20T07:46:3
2.9.10.4 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 6Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
org.apache.activemq.* (aka activemq-jms, 02181132.jar/lib/jackson-databind-2.9.9.3.jar
activemq-core, activemq-pool, and
activemq-pool-jms).
FasterXML jackson-databind 2.x before CVE-2020-36186 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.5,2.7.0 <= Version < 2.6.7.5,2.9.10.8 2022-04-20T07:47:1
2.9.10.8 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.8 9Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
org.apache.tomcat.dbcp.dbcp.datasources.PerU 02181132.jar/lib/jackson-databind-2.9.9.3.jar
serPoolDataSource.
FasterXML jackson-databind High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: 2.10.0 <= Version <= 2.12.6,2.13.1,2.14.0 2022-04-20T07:46:0
node/NodeSerialization.java 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.10.5.1,2.11.0.rc1 <= Version <= 2Z
NodeSerialization::readExternal() Function pace/plugins/com.fasterxml.jackson.core.jackson-d 2.11.4,2.12.0-rc1 <= Version <=
JDK Serialization Memory Exhaustion DoS atabind_2.10.1.jar; 2.12.5,2.13.0-rc1 <= Version <=
sha256__48a661b26dd00be123245256854705936 2.13.0
0625893f9668741c7886d92194f6bb7.tar.gz/works
pace/plugins/com.fasterxml.jackson.core.jackson-d
atabind_2.10.1.jar/META-INF/maven/com.fasterx
ml.jackson.core/jackson-databind/pom.xml
FasterXML jackson-databind CXF JAX-RS High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.3,2.7.0-rc1 <= Version <= 2.6.7.3,2.7.9.7,2.8.1 2022-04-20T07:46:0
Implementation 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.7.9.6,2.8.0.rc1 <= Version <= 1.5,2.9.10 5Z
jsontype/impl/SubTypeValidator.java Insecure pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021 2.8.11.4,2.9.0.pr1 <= Version <=
Deserialization Remote Code Execution 02181132.jar/lib/jackson-databind-2.9.9.3.jar 2.9.9.3
FasterXML jackson-databind 2.x before CVE-2020-14062 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.9.10.5 2.9.10.5 2022-04-20T07:46:4
2.9.10.5 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 6Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
com.sun.org.apache.xalan.internal.lib.sql.JNDI 02181132.jar/lib/jackson-databind-2.9.9.3.jar
ConnectionPool (aka xalan2).
FasterXML jackson-databind 2.x before CVE-2020-35490 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.5,2.7.0 <= Version < 2.6.7.5,2.9.10.8 2022-04-20T07:47:1
2.9.10.8 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.8 7Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
org.apache.commons.dbcp2.datasources.PerUs 02181132.jar/lib/jackson-databind-2.9.9.3.jar
erPoolDataSource.
FasterXML jackson-databind 2.x before CVE-2020-11619 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: <= 2.9.10.3 2.9.10.4 2022-04-20T07:46:3
2.9.10.4 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 8Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
org.springframework.aop.config.MethodLocati 02181132.jar/lib/jackson-databind-2.9.9.3.jar
ngFactoryBean (aka spring-aop).
FasterXML jackson-databind 2.x before CVE-2020-14195 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.4,2.7.0 <= Version < 2.6.7.4,2.9.10.5 2022-04-20T07:46:4
2.9.10.5 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.5 6Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
org.jsecurity.realm.jndi.JndiRealmFactory (aka 02181132.jar/lib/jackson-databind-2.9.9.3.jar
org.jsecurity).

Page 6
Summary CVEs Severity Component Physical Paths Component Infected Version Fix Version Edited
FasterXML jackson-databind 2.x before CVE-2020-24750 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.4,2.7.0 <= Version < 2.6.7.4,2.9.10.6 2022-04-20T07:47:0
2.9.10.6 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.6 2Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
com.pastdev.httpcomponents.configuration.Jnd 02181132.jar/lib/jackson-databind-2.9.9.3.jar
iConfiguration.
FasterXML jackson-databind 2.x before CVE-2020-36180 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.5,2.7.0 <= Version < 2.6.7.5,2.9.10.8 2022-04-20T07:47:1
2.9.10.8 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.8 9Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
org.apache.commons.dbcp2.cpdsadapter.Driver 02181132.jar/lib/jackson-databind-2.9.9.3.jar
AdapterCPDS.
FasterXML jackson-databind 2.x before CVE-2020-35491 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.5,2.7.0 <= Version < 2.6.7.5,2.9.10.8 2022-04-20T07:47:1
2.9.10.8 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.8 7Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
org.apache.commons.dbcp2.datasources.Share 02181132.jar/lib/jackson-databind-2.9.9.3.jar
dPoolDataSource.
FasterXML jackson-databind High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.9.10.6 2.9.10.6 2022-04-20T07:46:1
com.nqadmin.rowset.JdbcRowSetImpl Gadget 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 4Z
Insecure Deserialization Unspecified Remote pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
Weakness 02181132.jar/lib/jackson-databind-2.9.9.3.jar
FasterXML jackson-databind 2.x before CVE-2020-11620 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.9.10.4 2.9.10.4 2022-04-20T07:46:3
2.9.10.4 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 6Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
org.apache.commons.jelly.impl.Embedded 02181132.jar/lib/jackson-databind-2.9.9.3.jar
(aka commons-jelly).
A flaw was found in jackson-databind before CVE-2021-20190 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.5,2.7.0 <= Version < 2.6.7.5,2.9.10.7 2022-04-20T07:47:1
2.9.10.7. FasterXML mishandles the 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.7 9Z
interaction between serialization gadgets and pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
typing. The highest threat from this 02181132.jar/lib/jackson-databind-2.9.9.3.jar
vulnerability is to data confidentiality and
integrity as well as system availability.
jackson-databind before 2.13.0 allows a Java CVE-2020-36518 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.12.6.1,2.13.0-rc1 <= Version < 2.12.6.1,2.13.2.1 2022-04-20T07:47:3
StackOverflow exception and denial of service 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.13.2.1 7Z
via a large depth of nested objects. pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
02181132.jar/lib/jackson-databind-2.9.9.3.jar
jackson-databind before 2.13.0 allows a Java CVE-2020-36518 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.12.6.1,2.13.0-rc1 <= Version < 2.12.6.1,2.13.2.1 2022-04-20T07:47:3
StackOverflow exception and denial of service 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.13.2.1 7Z
via a large depth of nested objects. pace/plugins/com.fasterxml.jackson.core.jackson-d
atabind_2.10.1.jar;
sha256__48a661b26dd00be123245256854705936
0625893f9668741c7886d92194f6bb7.tar.gz/works
pace/plugins/com.fasterxml.jackson.core.jackson-d
atabind_2.10.1.jar/META-INF/maven/com.fasterx
ml.jackson.core/jackson-databind/pom.xml

Page 7
Summary CVEs Severity Component Physical Paths Component Infected Version Fix Version Edited
jsoup CharacterReader::nextIndexOf() High sha256__48a661b26dd00be123245256854705936 org.jsoup:jsoup < 1.7.3 1.7.3 2022-04-20T07:46:0
Function Unterminated CDATA Section 0625893f9668741c7886d92194f6bb7.tar.gz/works 2Z
Handling Array Indexing Out-of-bounds Read pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
DoS 02181132.jar/lib/org.jsoup_1.7.2.v201411291515.j
ar/META-INF/maven/org.jsoup/jsoup/pom.xml
FasterXML jackson-databind High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.9.10.6 2.9.10.6 2022-04-20T07:46:1
org.arrah.framework.rdbms.UpdatableJdbcRo 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 4Z
wsetImpl Gadget Insecure Deserialization pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
Unspecified Remote Weakness 02181132.jar/lib/jackson-databind-2.9.9.3.jar
FasterXML jackson-databind 2.x before CVE-2020-11112 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.9.10.4 2.9.10.4 2022-04-20T07:46:3
2.9.10.4 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 6Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
org.apache.commons.proxy.provider.remoting. 02181132.jar/lib/jackson-databind-2.9.9.3.jar
RmiProvider (aka apache/commons-proxy).
FasterXML jackson-databind 2.x before CVE-2020-36187 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.5,2.7.0 <= Version < 2.6.7.5,2.9.10.8 2022-04-20T07:47:1
2.9.10.8 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.8 9Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
org.apache.tomcat.dbcp.dbcp.datasources.Shar 02181132.jar/lib/jackson-databind-2.9.9.3.jar
edPoolDataSource.
FasterXML jackson-databind 2.x before CVE-2020-36189 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.5,2.7.0 <= Version < 2.6.7.5,2.9.10.8 2022-04-20T07:47:1
2.9.10.8 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.8 9Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
com.newrelic.agent.deps.ch.qos.logback.core.d 02181132.jar/lib/jackson-databind-2.9.9.3.jar
b.DriverManagerConnectionSource.
FasterXML jackson-databind 2.x before CVE-2020-36182 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.5,2.7.0 <= Version < 2.6.7.5,2.9.10.8 2022-04-20T07:47:1
2.9.10.8 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.8 9Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
org.apache.tomcat.dbcp.dbcp2.cpdsadapter.Dri 02181132.jar/lib/jackson-databind-2.9.9.3.jar
verAdapterCPDS.
FasterXML jackson-databind 2.x before CVE-2020-14061 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.4,2.7.0 <= Version < 2.6.7.4,2.9.10.5 2022-04-20T07:46:4
2.9.10.5 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.5 6Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
oracle.jms.AQjmsQueueConnectionFactory, 02181132.jar/lib/jackson-databind-2.9.9.3.jar
oracle.jms.AQjmsXATopicConnectionFactory,
oracle.jms.AQjmsTopicConnectionFactory,
oracle.jms.AQjmsXAQueueConnectionFactory
, and oracle.jms.AQjmsXAConnectionFactory
(aka weblogic/oracle-aqjms).
FasterXML jackson-databind 2.x before CVE-2020-36179 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.5,2.7.0 <= Version < 2.6.7.5,2.9.10.8 2022-04-20T07:47:1
2.9.10.8 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.8 9Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
oadd.org.apache.commons.dbcp.cpdsadapter.D 02181132.jar/lib/jackson-databind-2.9.9.3.jar
riverAdapterCPDS.

Page 8
Summary CVEs Severity Component Physical Paths Component Infected Version Fix Version Edited
FasterXML jackson-databind 2.x before CVE-2020-36184 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.5,2.7.0 <= Version < 2.6.7.5,2.9.10.8 2022-04-20T07:47:1
2.9.10.8 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.8 9Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
org.apache.tomcat.dbcp.dbcp2.datasources.Per 02181132.jar/lib/jackson-databind-2.9.9.3.jar
UserPoolDataSource.
FasterXML jackson-databind 2.x before CVE-2020-24616 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.4,2.7.0 <= Version < 2.6.7.4,2.9.10.6 2022-04-20T07:47:0
2.9.10.6 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.6 0Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
br.com.anteros.dbcp.AnterosDBCPDataSource 02181132.jar/lib/jackson-databind-2.9.9.3.jar
(aka Anteros-DBCP).
FasterXML jackson-databind 2.x before CVE-2020-36185 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.5,2.7.0 <= Version < 2.6.7.5,2.9.10.8 2022-04-20T07:47:1
2.9.10.8 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.8 9Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
org.apache.tomcat.dbcp.dbcp2.datasources.Sha 02181132.jar/lib/jackson-databind-2.9.9.3.jar
redPoolDataSource.
jsoup parser/HtmlTreeBuilderState.java High sha256__48a661b26dd00be123245256854705936 org.jsoup:jsoup 1.6.2 <= Version < 1.14.2 1.14.2 2022-04-20T07:46:0
InTable::process() Function Nested Table 0625893f9668741c7886d92194f6bb7.tar.gz/works 1Z
Elements Improper Recursion Handling Stack pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
Exhaustion DoS 02181132.jar/lib/org.jsoup_1.7.2.v201411291515.j
ar/META-INF/maven/org.jsoup/jsoup/pom.xml
FasterXML jackson-databind 2.x before CVE-2020-36183 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.5,2.7.0 <= Version < 2.6.7.5,2.9.10.8 2022-04-20T07:47:1
2.9.10.8 mishandles the interaction between 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.9.10.8 9Z
serialization gadgets and typing, related to pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
org.docx4j.org.apache.xalan.lib.sql.JNDIConne 02181132.jar/lib/jackson-databind-2.9.9.3.jar
ctionPool.
A flaw was found in FasterXML Jackson CVE-2020-25649 High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.6.7.4,2.10.0.pr1 <= Version < 2.10.5.1,2.11.0.rc1, 2022-04-20T07:47:0
Databind, where it did not have entity 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 2.10.5.1,2.9.0.pr1 <= Version < 2.6.7.4,2.9.10.7 5Z
expansion secured properly. This flaw allows pace/plugins/com.fasterxml.jackson.core.jackson-d 2.9.10.7
vulnerability to XML external entity (XXE) atabind_2.10.1.jar;
attacks. The highest threat from this sha256__48a661b26dd00be123245256854705936
vulnerability is data integrity. 0625893f9668741c7886d92194f6bb7.tar.gz/works
pace/plugins/com.fasterxml.jackson.core.jackson-d
atabind_2.10.1.jar/META-INF/maven/com.fasterx
ml.jackson.core/jackson-databind/pom.xml
FasterXML jackson-databind Multiple Gadgets High sha256__48a661b26dd00be123245256854705936 com.fasterxml.jackson.core: < 2.9.10.8 2.9.10.8 2022-04-20T07:46:1
Insecure Deserialization Unspecified Remote 0625893f9668741c7886d92194f6bb7.tar.gz/works jackson-databind 6Z
Weakness pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
02181132.jar/lib/jackson-databind-2.9.9.3.jar
Cross-site scripting (XSS) vulnerability in CVE-2015-6748 Medium sha256__48a661b26dd00be123245256854705936 org.jsoup:jsoup 1.6.2 <= Version < 1.8.3 1.8.3 2022-04-20T07:47:2
jsoup before 1.8.3. 0625893f9668741c7886d92194f6bb7.tar.gz/works 7Z
pace/plugins/org.eclipse.embedcdt.core_6.1.2.2021
02181132.jar/lib/org.jsoup_1.7.2.v201411291515.j
ar/META-INF/maven/org.jsoup/jsoup/pom.xml

Page 9
Summary CVEs Severity Component Physical Paths Component Infected Version Fix Version Edited
Apache Commons Net X.509 Certificate Medium sha256__48a661b26dd00be123245256854705936 commons-net:commons-net 3.0-RC1 <= Version <= 3.3 3.4-RC1 2022-04-20T07:46:0
Hostname Validation Failure MitM Spoofing 0625893f9668741c7886d92194f6bb7.tar.gz/works 4Z
pace/plugins/org.apache.commons.net_3.2.0.v2013
05141515.jar/META-INF/maven/commons-net/co
mmons-net/pom.xml
A temp directory creation vulnerability exists CVE-2020-8908 Low sha256__48a661b26dd00be123245256854705936 com.google.guava:guava <= 30.0-android,30.0-jr 2022-04-20T07:47:0
in all versions of Guava, allowing an attacker 0625893f9668741c7886d92194f6bb7.tar.gz/works 23.0,23.0-android,23.1-android,23. e 5Z
with access to the machine to potentially access pace/bin/quartus/sopc_builder/model/lib/guava-27. 1-jre,23.2-android,23.2-jre,23.3-an
data in a temporary directory created by the 1-jre.jar droid,23.3-jre,23.4-android,23.4-jr
Guava API e,23.5-android,23.5-jre,23.6-androi
com.google.common.io.Files.createTempDir(). d,23.6-jre,23.6.1-android,23.6.1-jre
By default, on unix-like systems, the created ,24.0-android,24.0-jre,24.1-android
directory is world-readable (readable by an ,24.1-jre,24.1.1-android,24.1.1-jre,
attacker with access to the system). The 25.0-android,25.0-jre,25.1-android,
method in question has been marked 25.1-jre,26.0-android,26.0-jre,27.0-
@Deprecated in versions 30.0 and later and android,27.0-jre,27.0.1-android,27.
should not be used. For Android developers, 0.1-jre,27.1-android,27.1-jre,28.0-a
we recommend choosing a temporary directory ndroid,28.0-jre,28.1-android,28.1-j
API provided by Android, such as re,28.2-android,28.2-jre,29.0-andro
context.getCacheDir(). For other Java id,29.0-jre
developers, we recommend migrating to the
Java 7 API
java.nio.file.Files.createTempDirectory()
which explicitly configures permissions of 700,
or configuring the Java runtime's java.io.tmpdir
system property to point to a location whose
permissions are appropriately configured.

Page 10

You might also like