1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
<?xml version="1.0"?>
<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.4">
<components>
<component type="library" bom-ref="pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4">
<group>com.fasterxml.jackson.core</group>
<name>jackson-databind</name>
<version>2.9.4</version>
<purl>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4</purl>
</component>
</components>
<vulnerabilities>
<vulnerability bom-ref="6eee14da-8f42-4cc4-bb65-203235f02415">
<id>SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111</id>
<source>
<name>Snyk</name>
<url>https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111</url>
</source>
<references>
<reference>
<id>CVE-2018-7489</id>
<source>
<name>NVD</name>
<url>https://nvd.nist.gov/vuln/detail/CVE-2019-9997</url>
</source>
</reference>
<reference>
<id>CVE-2018-7489</id>
<source>
<name>NVD</name>
<url>https://nvd.nist.gov/vuln/detail/CVE-2019-9997</url>
</source>
</reference>
</references>
<ratings>
<rating>
<source>
<name>NVD</name>
<url>https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0</url>
</source>
<score>9.8</score>
<severity>critical</severity>
<method>CVSSv3</method>
<vector>AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</vector>
<justification>An optional reason for rating the vulnerability as it was</justification>
</rating>
</ratings>
<cwes>
<cwe>184</cwe>
<cwe>502</cwe>
</cwes>
<description>FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.</description>
<detail></detail>
<recommendation>Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.</recommendation>
<advisories>
<advisory>
<title>GitHub Commit</title>
<url>https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2</url>
</advisory>
<advisory>
<title>GitHub Issue</title>
<url>https://github.com/FasterXML/jackson-databind/issues/1931</url>
</advisory>
</advisories>
<created>2021-01-01T00:00:00.000Z</created>
<published>2021-01-01T00:00:00.000Z</published>
<updated>2021-01-01T00:00:00.000Z</updated>
<credits>
<organizations>
<organization>
<name>Acme, Inc.</name>
<url>https://example.com</url>
</organization>
</organizations>
<individuals>
<individual>
<name>Jane Doe</name>
<email>jane.doe@example.com</email>
</individual>
</individuals>
</credits>
<tools>
<tool>
<vendor>Snyk</vendor>
<name>Snyk CLI (Linux)</name>
<version>1.729.0</version>
<hashes>
<hash alg="SHA-256">2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d</hash>
</hashes>
</tool>
</tools>
<analysis>
<state>not_affected</state>
<justification>code_not_reachable</justification>
<responses>
<response>will_not_fix</response>
<response>update</response>
</responses>
<detail>An optional explanation of why the application is not affected by the vulnerable component.</detail>
</analysis>
<affects>
<target>
<ref>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4</ref>
<versions>
<version>
<range>vers:semver/<2.6.7.5</range>
<status>affected</status>
</version>
<version>
<range>vers:semver/2.7.0|<2.8.11.1</range>
<status>affected</status>
</version>
<version>
<range>vers:semver/2.9.0|<2.9.5</range>
<status>affected</status>
</version>
</versions>
</target>
</affects>
<properties>
<property name="Foo">Bar</property>
<property name="Foo">You</property>
<property name="Foo">Two</property>
<property name="Bar">Foo</property>
</properties>
</vulnerability>
</vulnerabilities>
</bom>
|
