CVE Security Report - SICS Search SolrNode
This report is generated on: 20.01.2020, 03:07:18 UTC using dependency-check version: 5.0.0.
The report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov, NPM Public Advisories: https://www.npmjs.com/advisories, and the RetireJS community.
| Name | Description | CWE | CVSS v2.0 Severity | CVSS v3.0 Severity | Dependency |
|---|---|---|---|---|---|
| CVE-2018-10237 | Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. | CWE-502 | MEDIUM | MEDIUM | carrot2-guava-18.0.jar |
| CVE-2019-10086 | In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. | CWE-502 | HIGH | HIGH | commons-beanutils-1.9.3.jar |
| CVE-2019-12402 | The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. | CWE-399 | MEDIUM | HIGH | commons-compress-1.18.jar |
| CVE-2018-1000632 | dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later. | CWE-91 | MEDIUM | HIGH | dom4j-1.6.1.jar |
| CVE-2018-10237 | Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. | CWE-502 | MEDIUM | MEDIUM | guava-14.0.1.jar |
| CVE-2018-1000873 | Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. | CWE-20 | MEDIUM | MEDIUM | jackson-databind-2.9.6.jar |
| CVE-2018-14718 | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. | CWE-502 | HIGH | CRITICAL | jackson-databind-2.9.6.jar |
| CVE-2018-14719 | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. | CWE-502 | HIGH | CRITICAL | jackson-databind-2.9.6.jar |
| CVE-2018-14720 | FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. | CWE-611 | HIGH | CRITICAL | jackson-databind-2.9.6.jar |
| CVE-2018-14721 | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization. | CWE-918 | HIGH | CRITICAL | jackson-databind-2.9.6.jar |
| CVE-2018-19360 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. | CWE-502 | HIGH | CRITICAL | jackson-databind-2.9.6.jar |
| CVE-2018-19361 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. | CWE-502 | HIGH | CRITICAL | jackson-databind-2.9.6.jar |
| CVE-2018-19362 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization. | CWE-502 | HIGH | CRITICAL | jackson-databind-2.9.6.jar |
| CVE-2019-12086 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. | CWE-200 | MEDIUM | HIGH | jackson-databind-2.9.6.jar |
| CVE-2019-12384 | FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. | CWE-502 | MEDIUM | MEDIUM | jackson-databind-2.9.6.jar |
| CVE-2019-12814 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. | CWE-200 | MEDIUM | MEDIUM | jackson-databind-2.9.6.jar |
| CVE-2019-14379 | SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. | CWE-20 | HIGH | CRITICAL | jackson-databind-2.9.6.jar |
| CVE-2019-14439 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. | CWE-200 | MEDIUM | HIGH | jackson-databind-2.9.6.jar |
| CVE-2019-14540 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. | CWE-20 | HIGH | jackson-databind-2.9.6.jar | |
| CVE-2019-16335 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. | CWE-20 | HIGH | jackson-databind-2.9.6.jar | |
| CVE-2019-16942 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. | CWE-20 | HIGH | jackson-databind-2.9.6.jar | |
| CVE-2019-16943 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. | CWE-20 | HIGH | jackson-databind-2.9.6.jar | |
| CVE-2019-17267 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. | CWE-20 | HIGH | jackson-databind-2.9.6.jar | |
| CVE-2019-17531 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. | CWE-20 | HIGH | jackson-databind-2.9.6.jar | |
| CVE-2019-20330 | FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. | CWE-502 | HIGH | jackson-databind-2.9.6.jar | |
| CVE-2019-10241 | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. | CWE-79 | MEDIUM | MEDIUM | jetty-jmx-9.4.14.v20181114.jar |
| CVE-2019-10247 | In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. | CWE-200 | MEDIUM | MEDIUM | jetty-jmx-9.4.14.v20181114.jar |
| CVE-2019-10241 | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. | CWE-79 | MEDIUM | MEDIUM | jetty-security-9.4.14.v20181114.jar |
| CVE-2019-10247 | In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. | CWE-200 | MEDIUM | MEDIUM | jetty-security-9.4.14.v20181114.jar |
| CVE-2017-14868 | Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension. | CWE-611 | MEDIUM | HIGH | org.restlet-2.3.0.jar |
| CVE-2017-14949 | Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation. | CWE-611 | MEDIUM | HIGH | org.restlet-2.3.0.jar |
| CVE-2019-12415 | In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing. | CWE-611 | LOW | poi-4.0.0.jar | |
| CVE-2017-1000190 | SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability resulting SSRF, information disclosure, DoS and so on. | CWE-611 | MEDIUM | CRITICAL | simple-xml-2.7.1.jar |
| CVE-2019-0193 | In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request’s “dataConfig” parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property “enable.dih.dataConfigParam” to true. | $enc.xml($cweEntry) | HIGH | solr-core-8.0.0.jar | |
| CVE-2018-17197 | A carefully crafted or corrupt sqlite file can cause an infinite loop in Apache Tika’s SQLite3Parser in versions 1.8-1.19.1 of Apache Tika. | CWE-835 | MEDIUM | MEDIUM | tika-core-1.19.1.jar |
| CVE-2019-10088 | A carefully crafted or corrupt zip file can cause an OOM in Apache Tika’s RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later. | CWE-119 | MEDIUM | HIGH | tika-core-1.19.1.jar |
| CVE-2019-10093 | In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later. | CWE-400 | MEDIUM | MEDIUM | tika-core-1.19.1.jar |
| CVE-2019-10094 | A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika’s RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later. | CWE-119 | MEDIUM | HIGH | tika-core-1.19.1.jar |
| CVE-2016-6809 | Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization. | CWE-502 | HIGH | CRITICAL | vorbis-java-tika-0.8.jar |
| CVE-2018-11761 | In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack. | CWE-611 | MEDIUM | HIGH | vorbis-java-tika-0.8.jar |
| CVE-2018-11796 | In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later. | CWE-611 | MEDIUM | HIGH | vorbis-java-tika-0.8.jar |
| CVE-2018-1335 | From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18. | NVD-CWE-noinfo | HIGH | HIGH | vorbis-java-tika-0.8.jar |
| CVE-2018-1338 | A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika’s BPGParser in versions of Apache Tika before 1.18. | CWE-835 | MEDIUM | MEDIUM | vorbis-java-tika-0.8.jar |
| CVE-2018-1339 | A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika’s ChmParser in versions of Apache Tika before 1.18. | CWE-835 | MEDIUM | MEDIUM | vorbis-java-tika-0.8.jar |
| CVE-2009-2625 | > A denial of service flaw was found in the way the JRE processes XML. A remote attacker could use this flaw to supply crafted XML that would lead to a denial of service. > > – redhat.com | $enc.xml($cweEntry) | xercesImpl-2.9.1.jar | ||
| CVE-2012-0881 | Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions. | CWE-399 | HIGH | HIGH | xercesImpl-2.9.1.jar |
| CVE-2019-0201 | An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users. | $enc.xml($cweEntry) | MEDIUM | zookeeper-3.4.13.jar | |
| DOS in $sanitize | DOS in $sanitize | angular-cookies.min.js | |||
| Prototype pollution | Prototype pollution | angular-cookies.min.js | |||
| The attribute usemap can be used as a security exploit | The attribute usemap can be used as a security exploit | angular-cookies.min.js | |||
| Universal CSP bypass via add-on in Firefox | Universal CSP bypass via add-on in Firefox | angular-cookies.min.js | |||
| XSS in $sanitize in Safari/Firefox | XSS in $sanitize in Safari/Firefox | angular-cookies.min.js | |||
| DOS in $sanitize | DOS in $sanitize | angular-resource.min.js | |||
| Prototype pollution | Prototype pollution | angular-resource.min.js | |||
| The attribute usemap can be used as a security exploit | The attribute usemap can be used as a security exploit | angular-resource.min.js | |||
| Universal CSP bypass via add-on in Firefox | Universal CSP bypass via add-on in Firefox | angular-resource.min.js | |||
| XSS in $sanitize in Safari/Firefox | XSS in $sanitize in Safari/Firefox | angular-resource.min.js | |||
| DOS in $sanitize | DOS in $sanitize | angular-route.min.js | |||
| Prototype pollution | Prototype pollution | angular-route.min.js | |||
| The attribute usemap can be used as a security exploit | The attribute usemap can be used as a security exploit | angular-route.min.js | |||
| Universal CSP bypass via add-on in Firefox | Universal CSP bypass via add-on in Firefox | angular-route.min.js | |||
| XSS in $sanitize in Safari/Firefox | XSS in $sanitize in Safari/Firefox | angular-route.min.js | |||
| DOS in $sanitize | DOS in $sanitize | angular-sanitize.min.js | |||
| Prototype pollution | Prototype pollution | angular-sanitize.min.js | |||
| The attribute usemap can be used as a security exploit | The attribute usemap can be used as a security exploit | angular-sanitize.min.js | |||
| Universal CSP bypass via add-on in Firefox | Universal CSP bypass via add-on in Firefox | angular-sanitize.min.js | |||
| XSS in $sanitize in Safari/Firefox | XSS in $sanitize in Safari/Firefox | angular-sanitize.min.js | |||
| DOS in $sanitize | DOS in $sanitize | angular.js | |||
| Prototype pollution | Prototype pollution | angular.js | |||
| The attribute usemap can be used as a security exploit | The attribute usemap can be used as a security exploit | angular.js | |||
| Universal CSP bypass via add-on in Firefox | Universal CSP bypass via add-on in Firefox | angular.js | |||
| XSS in $sanitize in Safari/Firefox | XSS in $sanitize in Safari/Firefox | angular.js | |||
| DOS in $sanitize | DOS in $sanitize | angular.min.js | |||
| Prototype pollution | Prototype pollution | angular.min.js | |||
| The attribute usemap can be used as a security exploit | The attribute usemap can be used as a security exploit | angular.min.js | |||
| Universal CSP bypass via add-on in Firefox | Universal CSP bypass via add-on in Firefox | angular.min.js | |||
| XSS in $sanitize in Safari/Firefox | XSS in $sanitize in Safari/Firefox | angular.min.js | |||
| CVE-2012-6708 | jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the ‘<’ character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the ‘<’ character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common. | CWE-79 | MEDIUM | MEDIUM | jquery-1.7.2.min.js |
| CVE-2015-9251 | jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. | CWE-79 | MEDIUM | MEDIUM | jquery-1.7.2.min.js |
| CVE-2019-11358 | jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype. | CWE-79 | MEDIUM | MEDIUM | jquery-1.7.2.min.js |
| CVE-2015-9251 | jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. | CWE-79 | MEDIUM | MEDIUM | jquery-2.1.3.min.js |
| CVE-2019-11358 | jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype. | CWE-79 | MEDIUM | MEDIUM | jquery-2.1.3.min.js |
| CVE-2017-15095 | A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. \ | CWE-502 | HIGH | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) |
| CVE-2017-17485 | FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. | $enc.xml($cweEntry) | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2017-7525 | A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. | $enc.xml($cweEntry) | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2018-1000873 | Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. | CWE-20 | MEDIUM | MEDIUM | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) |
| CVE-2018-11307 | An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6. | CWE-502 | HIGH | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) |
| CVE-2018-14718 | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. | CWE-502 | HIGH | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) |
| CVE-2018-14719 | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. | $enc.xml($cweEntry) | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2018-14720 | FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. | $enc.xml($cweEntry) | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2018-14721 | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization. | $enc.xml($cweEntry) | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2018-19360 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. | $enc.xml($cweEntry) | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2018-19361 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. | $enc.xml($cweEntry) | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2018-19362 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization. | $enc.xml($cweEntry) | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2018-5968 | FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. | CWE-502 | MEDIUM | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) |
| CVE-2018-7489 | FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. | CWE-502 | HIGH | CRITICAL | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) |
| CVE-2019-14540 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. | CWE-20 | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2019-16335 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. | CWE-20 | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2019-16942 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. | CWE-20 | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2019-16943 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. | CWE-20 | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2019-17267 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. | CWE-20 | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2019-17531 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. | CWE-20 | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CVE-2019-20330 | FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. | CWE-502 | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | |
| CWE-611: Improper Restriction of XML External Entity Reference (‘XXE’) | The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. | CWE-611 | MEDIUM | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) |