[Bugs] [Bug 13246] New: [CVE 21] jackson-databind 2.9.9.3 CVEs found
bugzilla
bugzilla на rosalinux.ru
Вт Май 2 11:54:37 MSK 2023
https://bugzilla.rosalinux.ru/show_bug.cgi?id=13246
Platform: ---
Bug ID: 13246
Summary: [CVE 21] jackson-databind 2.9.9.3 CVEs found
Classification: ROSA-based products
Product: Certified ROSA distros
Version: Chrome
Hardware: All
URL: CVE-2019-14540, CVE-2019-14892, CVE-2019-14893,
CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
CVE-2019-17267, CVE-2019-17531, CVE-2019-20330,
CVE-2020-10672, CVE-2020-10673, CVE-2020-10968,
CVE-2020-10969, CVE-2020-11111, CVE-2020-11112,
CVE-2020-11113, CVE-2020-11619, CVE-2020-11620,
CVE-2020-14060, CVE-2020-14061, CVE-2020-14062,
CVE-2020-14195, CVE-2020-24616, CVE-2020-24750,
CVE-2020-25649, CVE-2020-35490, CVE-2020-35491,
CVE-2020-35728, CVE-2020-36179, CVE-2020-36180,
CVE-2020-36181, CVE-2020-36182, CVE-2020-36183,
CVE-2020-36184, CVE-2020-36185, CVE-2020-36186,
CVE-2020-36187, CVE-2020-36188, CVE-2020-36189,
CVE-2020-36518, CVE-2020-8840, CVE-2020-9546,
CVE-2020-9547, CVE-2020-9548, CVE-2021-20190,
CVE-2022-42003, CVE-2022-42004,
OS: Linux
Status: CONFIRMED
Severity: normal
Priority: Normal
Component: System (kernel, glibc, systemd, bash, PAM...)
Assignee: bugs на lists.rosalinux.ru
Reporter: y.tumanov на rosalinux.ru
QA Contact: bugs на lists.rosalinux.ru
CC: s.matveev на rosalinux.ru, y.tumanov на rosalinux.ru
Target Milestone: ---
Group: ROSA-plus-NTCIT
Flags: secteam_verified?
Please patch CVEs for package jackson-databind version 2.9.9.3
INFO (CVEs are): jackson-databind 2.9.9.3 cves found
CVE-2019-14540
Desc: A Polymorphic Typing issue was discovered in FasterXML jackson-databind
before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-14540
Severity: CRITICAL
CVE-2019-14892
Desc: A flaw was discovered in jackson-databind in versions before 2.9.10,
2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a
malicious object using commons-configuration 1 and 2 JNDI classes. An attacker
could use this flaw to execute arbitrary code.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-14892
Severity: CRITICAL
CVE-2019-14893
Desc: A flaw was discovered in FasterXML jackson-databind in all versions
before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of
malicious objects using the xalan JNDI gadget when used in conjunction with
polymorphic type handling methods such as `enableDefaultTyping()` or when
@JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way
which ObjectMapper.readValue might instantiate objects from unsafe sources. An
attacker could use this flaw to execute arbitrary code.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-14893
Severity: CRITICAL
CVE-2019-16335
Desc: A Polymorphic Typing issue was discovered in FasterXML jackson-databind
before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a
different vulnerability than CVE-2019-14540.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-16335
Severity: CRITICAL
CVE-2019-16942
Desc: A Polymorphic Typing issue was discovered in FasterXML jackson-databind
2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a
specific property) for an externally exposed JSON endpoint and the service has
the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI
service endpoint to access, it is possible to make the service execute a
malicious payload. This issue exists because of
org.apache.commons.dbcp.datasources.SharedPoolDataSource and
org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-16942
Severity: CRITICAL
CVE-2019-16943
Desc: A Polymorphic Typing issue was discovered in FasterXML jackson-databind
2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a
specific property) for an externally exposed JSON endpoint and the service has
the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service
endpoint to access, it is possible to make the service execute a malicious
payload. This issue exists because of com.p6spy.engine.spy.P6DataSource
mishandling.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-16943
Severity: CRITICAL
CVE-2019-17267
Desc: A Polymorphic Typing issue was discovered in FasterXML jackson-databind
before 2.9.10. It is related to
net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-17267
Severity: CRITICAL
CVE-2019-17531
Desc: A Polymorphic Typing issue was discovered in FasterXML jackson-databind
2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a
specific property) for an externally exposed JSON endpoint and the service has
the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker
can provide a JNDI service to access, it is possible to make the service
execute a malicious payload.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-17531
Severity: CRITICAL
CVE-2019-20330
Desc: FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain
net.sf.ehcache blocking.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-20330
Severity: CRITICAL
CVE-2020-10672
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka
aries.transaction.jms).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-10672
Severity: HIGH
CVE-2020-10673
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction
between serialization gadgets and typing, related to
com.caucho.config.types.ResourceRef (aka caucho-quercus).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-10673
Severity: HIGH
CVE-2020-10968
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction
between serialization gadgets and typing, related to
org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-10968
Severity: HIGH
CVE-2020-10969
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction
between serialization gadgets and typing, related to javax.swing.JEditorPane.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-10969
Severity: HIGH
CVE-2020-11111
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction
between serialization gadgets and typing, related to org.apache.activemq.* (aka
activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-11111
Severity: HIGH
CVE-2020-11112
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.commons.proxy.provider.remoting.RmiProvider (aka
apache/commons-proxy).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-11112
Severity: HIGH
CVE-2020-11113
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-11113
Severity: HIGH
CVE-2020-11619
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction
between serialization gadgets and typing, related to
org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-11619
Severity: HIGH
CVE-2020-11620
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-11620
Severity: HIGH
CVE-2020-14060
Desc: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction
between serialization gadgets and typing, related to
oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-14060
Severity: HIGH
CVE-2020-14061
Desc: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction
between serialization gadgets and typing, related to
oracle.jms.AQjmsQueueConnectionFactory,
oracle.jms.AQjmsXATopicConnectionFactory,
oracle.jms.AQjmsTopicConnectionFactory,
oracle.jms.AQjmsXAQueueConnectionFactory, and
oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-14061
Severity: HIGH
CVE-2020-14062
Desc: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction
between serialization gadgets and typing, related to
com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-14062
Severity: HIGH
CVE-2020-14195
Desc: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction
between serialization gadgets and typing, related to
org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-14195
Severity: HIGH
CVE-2020-24616
Desc: FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction
between serialization gadgets and typing, related to
br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-24616
Severity: HIGH
CVE-2020-24750
Desc: FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction
between serialization gadgets and typing, related to
com.pastdev.httpcomponents.configuration.JndiConfiguration.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-24750
Severity: HIGH
CVE-2020-25649
Desc: A flaw was found in FasterXML Jackson Databind, where it did not have
entity expansion secured properly. This flaw allows vulnerability to XML
external entity (XXE) attacks. The highest threat from this vulnerability is
data integrity.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-25649
Severity: HIGH
CVE-2020-35490
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-35490
Severity: HIGH
CVE-2020-35491
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-35491
Severity: HIGH
CVE-2020-35728
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction
between serialization gadgets and typing, related to
com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded
Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-35728
Severity: HIGH
CVE-2020-36179
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction
between serialization gadgets and typing, related to
oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36179
Severity: HIGH
CVE-2020-36180
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36180
Severity: HIGH
CVE-2020-36181
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36181
Severity: HIGH
CVE-2020-36182
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36182
Severity: HIGH
CVE-2020-36183
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction
between serialization gadgets and typing, related to
org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36183
Severity: HIGH
CVE-2020-36184
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36184
Severity: HIGH
CVE-2020-36185
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36185
Severity: HIGH
CVE-2020-36186
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36186
Severity: HIGH
CVE-2020-36187
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36187
Severity: HIGH
CVE-2020-36188
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction
between serialization gadgets and typing, related to
com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36188
Severity: HIGH
CVE-2020-36189
Desc: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction
between serialization gadgets and typing, related to
com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36189
Severity: HIGH
CVE-2020-36518
Desc: jackson-databind before 2.13.0 allows a Java StackOverflow exception and
denial of service via a large depth of nested objects.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-36518
Severity: HIGH
CVE-2020-8840
Desc: FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain
xbean-reflect/JNDI blocking, as demonstrated by
org.apache.xbean.propertyeditor.JndiConverter.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-8840
Severity: CRITICAL
CVE-2020-9546
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded
hikari-config).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-9546
Severity: CRITICAL
CVE-2020-9547
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction
between serialization gadgets and typing, related to
com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka
ibatis-sqlmap).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-9547
Severity: CRITICAL
CVE-2020-9548
Desc: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction
between serialization gadgets and typing, related to
br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-9548
Severity: CRITICAL
CVE-2021-20190
Desc: A flaw was found in jackson-databind before 2.9.10.7. FasterXML
mishandles the interaction between serialization gadgets and typing. The
highest threat from this vulnerability is to data confidentiality and integrity
as well as system availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-20190
Severity: HIGH
CVE-2022-42003
Desc: In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can
occur because of a lack of a check in primitive value deserializers to avoid
deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is
enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-42003
Severity: HIGH
CVE-2022-42004
Desc: In FasterXML jackson-databind before 2.13.4, resource exhaustion can
occur because of a lack of a check in BeanDeserializer._deserializeFromArray to
prevent use of deeply nested arrays. An application is vulnerable only with
certain customized choices for deserialization.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-42004
Severity: HIGH
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230502/8cad8a33/attachment-0001.html>
Подробная информация о списке рассылки Bugs