[Apiiro] SCA OSS Vulnerabilities - Critical CVSS score · Critical Risk

[apiiro-staging]

July 1st 3 tix

Discovered on: Mar 10, 2024 15:57
Dependency: com.fasterxml.jackson.core:jackson-databind
Version:
Type: Direct
Introduced through:

• com.fasterxml.jackson.core:jackson-databind: 2.6.5

Vulnerabilities

• Serialization gadget exploit in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.9.10.8
• SSRF Vulnerability in FasterXML jackson-databind with CVSS score 10. fixed version: 2.6.7.2
• XXE Vulnerability in FasterXML jackson-databind 2.x with CVSS score 9.800000190734863. fixed version: 2.6.7.2
• Unspecified Impact Vulnerability in FasterXML jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• Unspecified Impact Vulnerability in FasterXML jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• Denial of Service Vulnerability in jackson-databind with CVSS score 4.699999809265137. fixed version: 2.16.0
• Deeply nested json in jackson-databind with CVSS score 7.5. fixed version: 2.12.6.1
• Code Injection in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.9.10.6
• jackson-databind is vulnerable to a deserialization flaw with CVSS score 9.800000190734863. fixed version: 2.6.7.1
• Polymorphic deserialization of malicious object in jackson-databind with CVSS score 7.5. fixed version: 2.6.7.3
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Deserialization of Untrusted Data in jackson-databind with CVSS score 9.800000190734863. fixed version: 2.7.9.7
• Deserialization of Untrusted Data in jackson-databind with CVSS score 9.800000190734863. fixed version: 2.7.9.7
• jackson-databind before 2.9.10.4 vulnerable to unsafe deserialization with CVSS score 8.100000381469727. fixed version: 2.9.10.5
• Serialization gadgets exploit in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.9.10.8
• Serialization gadgets exploit in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.9.10.8
• Deserialization of Untrusted Data in jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• jackson-databind Deserialization of Untrusted Data vulnerability with CVSS score 7.5. fixed version: 2.6.7.3
• Arbitrary Code Execution in jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• XML External Entity (XXE) Injection in Jackson Databind with CVSS score 7.5. fixed version: 2.6.7.4
• Uncontrolled Resource Consumption in Jackson-databind with CVSS score 7.5. fixed version: 2.12.7.1
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Deserialization of untrusted data in FasterXML jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• jackson-databind polymorphic typing issue with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• Polymorphic Typing issue in FasterXML jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• jackson-databind polymorphic typing issue with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• Deserialization of untrusted data in FasterXML jackson-databind with CVSS score 7.5. fixed version: 2.6.7.3
• Polymorphic Typing issue in FasterXML jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• Arbitrary Code Execution in jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• Deserialization of untrusted data in FasterXML jackson-databind with CVSS score 5.900000095367432. fixed version: 2.6.7.3
• Information exposure in FasterXML jackson-databind with CVSS score 7.5. fixed version: 2.6.7.3
• com.fasterxml.jackson.core:jackson-databind vulnerable to Deserialization of Untrusted Data with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• Polymorphic Typing in FasterXML jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• Deserialization of Untrusted Data in FasterXML jackson-databind with CVSS score 5.900000095367432. fixed version: 2.6.7.3
• jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution with CVSS score 9.800000190734863. fixed version: 2.6.7.2
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• FasterXML jackson-databind allows unauthenticated remote code execution with CVSS score 9.800000190734863. fixed version: 2.7.9.3
• Deserialization of untrusted data in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Improper Input Validation in jackson-databind with CVSS score 9.800000190734863. fixed version: 2.8.11.5
• jackson-databind mishandles the interaction between serialization gadgets and typing with CVSS score 8.800000190734863. fixed version: 2.6.7.4
• jackson-databind mishandles the interaction between serialization gadgets and typing with CVSS score 9.800000190734863. fixed version: 2.7.9.7
• jackson-databind mishandles the interaction between serialization gadgets and typing with CVSS score 9.800000190734863. fixed version: 2.7.9.7
• Deserialization of Untrusted Data in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.3
• Uncontrolled Resource Consumption in FasterXML jackson-databind with CVSS score 7.5. fixed version: 2.12.7.1

About this package:

External dependency: com.fasterxml.jackson.core:jackson-databind - https://github.com/FasterXML/jackson
Package details: General data-binding functionality for Jackson: works on core streaming API
Latest version: 2.17.1
License: Apache-2.0
Insights:

• Frequent commits - New code commits are frequently being pushed
• Historical CVEs - This package had at least two critical or high CVEs in two consecutive years
• Has vulnerabilities - One or more vulnerabilities have been reported for this package
• High EPSS - This package has one vulnerability that is highly likely to be exploited according to the EPSS algorithm
• Exploit POC - This package has 5 vulnerabilities with proof of concept exploits.

Remediation

Upgrade to com.fasterxml.jackson.core:[email protected]:

1. Go to api2-model/pom.xml
2. Replace vulnerable version 2.6.5 with fix version 2.16.0
   View in Apiiro