CVE Security Report - SICS Search SolrNode
This report is generated on: 26.03.2020, 12:34:12 UTC using dependency-check version: 5.0.0.
The report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov, NPM Public Advisories: https://www.npmjs.com/advisories, and the RetireJS community.
| Name | Description | CWE | CVSS v2.0 Severity | CVSS v3.0 Severity | Dependency |
|---|---|---|---|---|---|
| CVE-2017-18365 | The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a deserialization issue that allows unauthenticated remote attackers to execute arbitrary code. This occurs because the enterprise session secret is always the same, and can be found in the product’s source code. By sending a crafted cookie signed with this secret, one can call Marshal.load with arbitrary data, which is a problem because the Marshal data format allows Ruby objects. | CWE-502 | HIGH | CRITICAL | caffeine-2.8.0.jar |
| CVE-2018-10237 | Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. | CWE-502 | MEDIUM | MEDIUM | carrot2-guava-18.0.jar |
| CVE-2019-12402 | The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. | CWE-399 | MEDIUM | HIGH | commons-compress-1.18.jar |
| CVE-2019-10241 | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. | CWE-79 | MEDIUM | MEDIUM | jetty-jndi-9.4.14.v20181114.jar |
| CVE-2019-10247 | In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. | CWE-200 | MEDIUM | MEDIUM | jetty-jndi-9.4.14.v20181114.jar |
| CVE-2017-14868 | Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension. | CWE-611 | MEDIUM | HIGH | org.restlet-2.3.0.jar |
| CVE-2017-14949 | Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation. | CWE-611 | MEDIUM | HIGH | org.restlet-2.3.0.jar |
| CVE-2019-12415 | In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing. | CWE-611 | LOW | poi-4.0.0.jar | |
| CVE-2017-1000190 | SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability resulting SSRF, information disclosure, DoS and so on. | CWE-611 | MEDIUM | CRITICAL | simple-xml-safe-2.7.1.jar |
| CVE-2018-17197 | A carefully crafted or corrupt sqlite file can cause an infinite loop in Apache Tika’s SQLite3Parser in versions 1.8-1.19.1 of Apache Tika. | CWE-835 | MEDIUM | MEDIUM | tika-core-1.19.1.jar |
| CVE-2019-10088 | A carefully crafted or corrupt zip file can cause an OOM in Apache Tika’s RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later. | CWE-119 | MEDIUM | HIGH | tika-core-1.19.1.jar |
| CVE-2019-10093 | In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later. | CWE-400 | MEDIUM | MEDIUM | tika-core-1.19.1.jar |
| CVE-2019-10094 | A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika’s RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later. | CWE-119 | MEDIUM | HIGH | tika-core-1.19.1.jar |
| CVE-2020-1950 | A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika’s PSDParser in versions 1.0-1.23. | CWE-400 | MEDIUM | tika-core-1.19.1.jar | |
| CVE-2020-1951 | A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika’s PSDParser in versions 1.0-1.23. | CWE-835 | MEDIUM | tika-core-1.19.1.jar | |
| CVE-2016-6809 | Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization. | CWE-502 | HIGH | CRITICAL | vorbis-java-tika-0.8.jar |
| CVE-2018-11761 | In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack. | CWE-611 | MEDIUM | HIGH | vorbis-java-tika-0.8.jar |
| CVE-2018-11796 | In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later. | CWE-611 | MEDIUM | HIGH | vorbis-java-tika-0.8.jar |
| CVE-2018-1335 | From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18. | NVD-CWE-noinfo | HIGH | HIGH | vorbis-java-tika-0.8.jar |
| CVE-2018-1338 | A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika’s BPGParser in versions of Apache Tika before 1.18. | CWE-835 | MEDIUM | MEDIUM | vorbis-java-tika-0.8.jar |
| CVE-2018-1339 | A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika’s ChmParser in versions of Apache Tika before 1.18. | CWE-835 | MEDIUM | MEDIUM | vorbis-java-tika-0.8.jar |
| CVE-2009-2625 | > A denial of service flaw was found in the way the JRE processes XML. A remote attacker could use this flaw to supply crafted XML that would lead to a denial of service. > > – redhat.com | $enc.xml($cweEntry) | xercesImpl-2.9.1.jar | ||
| CVE-2012-0881 | Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions. | CWE-399 | HIGH | HIGH | xercesImpl-2.9.1.jar |
| DOS in $sanitize | DOS in $sanitize | angular-cookies.min.js | |||
| Prototype pollution | Prototype pollution | angular-cookies.min.js | |||
| The attribute usemap can be used as a security exploit | The attribute usemap can be used as a security exploit | angular-cookies.min.js | |||
| Universal CSP bypass via add-on in Firefox | Universal CSP bypass via add-on in Firefox | angular-cookies.min.js | |||
| XSS in $sanitize in Safari/Firefox | XSS in $sanitize in Safari/Firefox | angular-cookies.min.js | |||
| DOS in $sanitize | DOS in $sanitize | angular-resource.min.js | |||
| Prototype pollution | Prototype pollution | angular-resource.min.js | |||
| The attribute usemap can be used as a security exploit | The attribute usemap can be used as a security exploit | angular-resource.min.js | |||
| Universal CSP bypass via add-on in Firefox | Universal CSP bypass via add-on in Firefox | angular-resource.min.js | |||
| XSS in $sanitize in Safari/Firefox | XSS in $sanitize in Safari/Firefox | angular-resource.min.js | |||
| DOS in $sanitize | DOS in $sanitize | angular-route.min.js | |||
| Prototype pollution | Prototype pollution | angular-route.min.js | |||
| The attribute usemap can be used as a security exploit | The attribute usemap can be used as a security exploit | angular-route.min.js | |||
| Universal CSP bypass via add-on in Firefox | Universal CSP bypass via add-on in Firefox | angular-route.min.js | |||
| XSS in $sanitize in Safari/Firefox | XSS in $sanitize in Safari/Firefox | angular-route.min.js | |||
| DOS in $sanitize | DOS in $sanitize | angular-sanitize.min.js | |||
| Prototype pollution | Prototype pollution | angular-sanitize.min.js | |||
| The attribute usemap can be used as a security exploit | The attribute usemap can be used as a security exploit | angular-sanitize.min.js | |||
| Universal CSP bypass via add-on in Firefox | Universal CSP bypass via add-on in Firefox | angular-sanitize.min.js | |||
| XSS in $sanitize in Safari/Firefox | XSS in $sanitize in Safari/Firefox | angular-sanitize.min.js | |||
| DOS in $sanitize | DOS in $sanitize | angular.js | |||
| Prototype pollution | Prototype pollution | angular.js | |||
| The attribute usemap can be used as a security exploit | The attribute usemap can be used as a security exploit | angular.js | |||
| Universal CSP bypass via add-on in Firefox | Universal CSP bypass via add-on in Firefox | angular.js | |||
| XSS in $sanitize in Safari/Firefox | XSS in $sanitize in Safari/Firefox | angular.js | |||
| DOS in $sanitize | DOS in $sanitize | angular.min.js | |||
| Prototype pollution | Prototype pollution | angular.min.js | |||
| The attribute usemap can be used as a security exploit | The attribute usemap can be used as a security exploit | angular.min.js | |||
| Universal CSP bypass via add-on in Firefox | Universal CSP bypass via add-on in Firefox | angular.min.js | |||
| XSS in $sanitize in Safari/Firefox | XSS in $sanitize in Safari/Firefox | angular.min.js | |||
| CVE-2012-6708 | jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the ‘<’ character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the ‘<’ character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common. | CWE-79 | MEDIUM | MEDIUM | jquery-1.7.2.min.js |
| CVE-2015-9251 | jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. | CWE-79 | MEDIUM | MEDIUM | jquery-1.7.2.min.js |
| CVE-2019-11358 | jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, , …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype. | CWE-79 | MEDIUM | MEDIUM | jquery-1.7.2.min.js |
| CVE-2015-9251 | jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. | CWE-79 | MEDIUM | MEDIUM | jquery-2.1.3.min.js |
| CVE-2019-11358 | jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, , …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype. | CWE-79 | MEDIUM | MEDIUM | jquery-2.1.3.min.js |
| CVE-2017-15095 | A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. \ | CWE-502 | HIGH | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) |
| CVE-2017-17485 | FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. | $enc.xml($cweEntry) | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2017-7525 | A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. | $enc.xml($cweEntry) | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2018-1000873 | Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. | CWE-20 | MEDIUM | MEDIUM | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) |
| CVE-2018-11307 | An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6. | CWE-502 | HIGH | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) |
| CVE-2018-14718 | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. | CWE-502 | HIGH | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) |
| CVE-2018-14719 | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. | $enc.xml($cweEntry) | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2018-14720 | FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. | $enc.xml($cweEntry) | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2018-14721 | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization. | $enc.xml($cweEntry) | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2018-19360 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. | $enc.xml($cweEntry) | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2018-19361 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. | $enc.xml($cweEntry) | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2018-19362 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization. | $enc.xml($cweEntry) | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2018-5968 | FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. | CWE-502 | MEDIUM | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) |
| CVE-2018-7489 | FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. | CWE-502 | HIGH | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) |
| CVE-2019-14540 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. | CWE-20 | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2019-14893 | A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping() or when @JsonTypeInfo is using Id.CLASS or Id.MINIMAL_CLASS or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. |
CWE-502 | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2019-16335 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. | CWE-20 | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2019-16942 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. | CWE-20 | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2019-16943 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. | CWE-20 | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2019-17267 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. | CWE-20 | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2019-17531 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. | CWE-20 | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2019-20330 | FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. | CWE-502 | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2020-10672 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). | NVD-CWE-Other | MEDIUM | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2020-10673 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). | NVD-CWE-Other | MEDIUM | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2020-8840 | FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. | CWE-502 | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2020-9546 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). | CWE-502 | MEDIUM | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2020-9547 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). | CWE-502 | MEDIUM | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2020-9548 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). | CWE-502 | MEDIUM | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CWE-611: Improper Restriction of XML External Entity Reference (‘XXE’) | The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. | CWE-611 | MEDIUM | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) |