forked from amaybaum-local/vprofile-project4
-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
spring-rabbit-1.7.1.RELEASE.jar: 63 vulnerabilities (highest severity is: 10.0) reachable #4
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-local-app
bot
added
the
Mend: dependency security vulnerability
Security vulnerability detected by Mend
label
Jun 4, 2023
1 task
mend-local-app
bot
changed the title
spring-rabbit-1.7.1.RELEASE.jar: 12 vulnerabilities (highest severity is: 9.8) reachable
spring-rabbit-1.7.1.RELEASE.jar: 12 vulnerabilities (highest severity is: 9.8)
Jun 8, 2023
mend-local-app
bot
changed the title
spring-rabbit-1.7.1.RELEASE.jar: 12 vulnerabilities (highest severity is: 9.8)
spring-rabbit-1.7.1.RELEASE.jar: 12 vulnerabilities (highest severity is: 9.8) reachable
Jun 8, 2023
mend-local-app
bot
changed the title
spring-rabbit-1.7.1.RELEASE.jar: 12 vulnerabilities (highest severity is: 9.8) reachable
spring-rabbit-1.7.1.RELEASE.jar: 14 vulnerabilities (highest severity is: 9.8) reachable
Jul 11, 2023
1 task
mend-local-app
bot
changed the title
spring-rabbit-1.7.1.RELEASE.jar: 14 vulnerabilities (highest severity is: 9.8) reachable
spring-rabbit-1.7.1.RELEASE.jar: 1 vulnerabilities (highest severity is: 5.9)
Aug 6, 2023
mend-local-app
bot
changed the title
spring-rabbit-1.7.1.RELEASE.jar: 1 vulnerabilities (highest severity is: 5.9)
spring-rabbit-1.7.1.RELEASE.jar: 63 vulnerabilities (highest severity is: 10.0)
Aug 9, 2023
mend-local-app
bot
changed the title
spring-rabbit-1.7.1.RELEASE.jar: 63 vulnerabilities (highest severity is: 10.0)
spring-rabbit-1.7.1.RELEASE.jar: 63 vulnerabilities (highest severity is: 10.0) reachable
Aug 14, 2023
mend-local-app
bot
changed the title
spring-rabbit-1.7.1.RELEASE.jar: 63 vulnerabilities (highest severity is: 10.0) reachable
spring-rabbit-1.7.1.RELEASE.jar: 59 vulnerabilities (highest severity is: 9.8) reachable
Aug 15, 2023
mend-local-app
bot
changed the title
spring-rabbit-1.7.1.RELEASE.jar: 59 vulnerabilities (highest severity is: 9.8) reachable
spring-rabbit-1.7.1.RELEASE.jar: 58 vulnerabilities (highest severity is: 9.8) reachable
Nov 15, 2023
mend-local-app
bot
changed the title
spring-rabbit-1.7.1.RELEASE.jar: 58 vulnerabilities (highest severity is: 9.8) reachable
spring-rabbit-1.7.1.RELEASE.jar: 53 vulnerabilities (highest severity is: 9.8) reachable
Nov 22, 2023
mend-local-app
bot
changed the title
spring-rabbit-1.7.1.RELEASE.jar: 53 vulnerabilities (highest severity is: 9.8) reachable
spring-rabbit-1.7.1.RELEASE.jar: 59 vulnerabilities (highest severity is: 9.8) reachable
Nov 22, 2023
mend-local-app
bot
changed the title
spring-rabbit-1.7.1.RELEASE.jar: 59 vulnerabilities (highest severity is: 9.8) reachable
spring-rabbit-1.7.1.RELEASE.jar: 63 vulnerabilities (highest severity is: 10.0) reachable
Oct 24, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
0 participants
Vulnerable Library - spring-rabbit-1.7.1.RELEASE.jar
Spring RabbitMQ Support
Library home page: http://spring.io
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/org/springframework/amqp/spring-rabbit/1.7.1.RELEASE/spring-rabbit-1.7.1.RELEASE.jar
Found in HEAD commit: 18b3a581959d86663c0481bca1df4bb39994eb38
Vulnerabilities
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Reachable
Unreachable
Unreachable
Unreachable
Unreachable
Unreachable
Unreachable
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2018-14721
Vulnerable Library - jackson-databind-2.8.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar
Dependency Hierarchy:
Found in HEAD commit: 18b3a581959d86663c0481bca1df4bb39994eb38
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14721
CVSS 3 Score Details (10.0)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721
Release Date: 2019-01-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.7,2.8.11.3,2.7.9.5,2.6.7.3
CVE-2020-9548
Vulnerable Library - jackson-databind-2.8.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar
Dependency Hierarchy:
Found in HEAD commit: 18b3a581959d86663c0481bca1df4bb39994eb38
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
Publish Date: 2020-03-02
URL: CVE-2020-9548
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548
Release Date: 2020-03-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.7,2.8.11.6,2.9.10.4
CVE-2020-9547
Vulnerable Library - jackson-databind-2.8.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar
Dependency Hierarchy:
Found in HEAD commit: 18b3a581959d86663c0481bca1df4bb39994eb38
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
Publish Date: 2020-03-02
URL: CVE-2020-9547
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547
Release Date: 2020-03-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.3
CVE-2020-9546
Vulnerable Library - jackson-databind-2.8.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar
Dependency Hierarchy:
Found in HEAD commit: 18b3a581959d86663c0481bca1df4bb39994eb38
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
Publish Date: 2020-03-02
URL: CVE-2020-9546
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546
Release Date: 2020-03-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.3
CVE-2020-8840
Vulnerable Library - jackson-databind-2.8.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar
Dependency Hierarchy:
Found in HEAD commit: 18b3a581959d86663c0481bca1df4bb39994eb38
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
Publish Date: 2020-02-10
URL: CVE-2020-8840
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-02-10
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.3
CVE-2020-11620
Vulnerable Library - jackson-databind-2.8.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar
Dependency Hierarchy:
Found in HEAD commit: 18b3a581959d86663c0481bca1df4bb39994eb38
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
Publish Date: 2020-04-07
URL: CVE-2020-11620
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11620
Release Date: 2020-04-07
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.4
CVE-2020-11619
Vulnerable Library - jackson-databind-2.8.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar
Dependency Hierarchy:
Found in HEAD commit: 18b3a581959d86663c0481bca1df4bb39994eb38
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
Publish Date: 2020-04-07
URL: CVE-2020-11619
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11619
Release Date: 2020-04-07
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.4
CVE-2019-20330
Vulnerable Library - jackson-databind-2.8.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar
Dependency Hierarchy:
Found in HEAD commit: 18b3a581959d86663c0481bca1df4bb39994eb38
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
Publish Date: 2020-01-03
URL: CVE-2019-20330
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-01-03
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.7,2.8.11.5,2.9.10.2
CVE-2019-17531
Vulnerable Library - jackson-databind-2.8.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar
Dependency Hierarchy:
Found in HEAD commit: 18b3a581959d86663c0481bca1df4bb39994eb38
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-10-12
URL: CVE-2019-17531
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531
Release Date: 2019-10-12
Fix Resolution: 2.10
CVE-2019-17267
Vulnerable Library - jackson-databind-2.8.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar
Dependency Hierarchy:
Found in HEAD commit: 18b3a581959d86663c0481bca1df4bb39994eb38
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
Publish Date: 2019-10-07
URL: CVE-2019-17267
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-10-07
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10
CVE-2019-16943
Vulnerable Library - jackson-databind-2.8.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar
Dependency Hierarchy:
Found in HEAD commit: 18b3a581959d86663c0481bca1df4bb39994eb38
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16943
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943
Release Date: 2019-10-01
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10.1
CVE-2019-16942
Vulnerable Library - jackson-databind-2.8.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar
Dependency Hierarchy:
Found in HEAD commit: 18b3a581959d86663c0481bca1df4bb39994eb38
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16942
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942
Release Date: 2019-10-01
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10.1
CVE-2019-16335
Vulnerable Library - jackson-databind-2.8.4.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /Users/alexmaybaum/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.4/jackson-databind-2.8.4.jar
Dependency Hierarchy:
Found in HEAD commit: 18b3a581959d86663c0481bca1df4bb39994eb38
Found in base branch: vp-rem
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
Publish Date: 2019-09-15
URL: CVE-2019-16335
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-09-15
Fix Resolution: 2.9.10
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: