Page Comparison

Description from CVE The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. Explanation

Apache Camel is vulnerable to Remote Code Execution (RCE) due to unsafe deserialization of java objects using the Xstream component. The camel-xstream component uses the Xstream component without proper security restrictions allowing arbitrary classes to be serialized/deserialized. This allows a remote attacker to inject malicious payload via a crafted serialized Java object in an HTTP request resulting in arbitrary code execution upon deserialization.

No non-vulnerable version available

Request Exception

Description from CVE Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor. Explanation

The Apache Camel package is vulnerable to XML eXternal Entity (XXE) Injection. The doProcess() function's conditional logic in ValidatingProcessor.class can, in some cases, allow external DTDs to be evaluated, even when they are disabled. A remote attacker can exploit this vulnerability to conduct Server Side Request Forgery (SSRF), exfiltrate data, or other XXE related attacks.

No non-vulnerable version available

Description from CVE Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters. Explanation

Netty is vulnerable to Information Disclosure. Multiple methods in multiple files improperly validate cookie names and values. This allows the presence of single-quote and double-quote characters to break tokenization. A remote attacker can exploit this vulnerability by inducing a victim to send a crafted request containing quote characters in any parameter value that sets a cookie. If that tainted cookie gets reflected in the response, the attacker can then use Cross-Site Scripting (XSS) to potentially retrieve the entire cookie header, despite the presence of an HttpOnly flag.

Description from CVE Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.

Description from CVE Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE. Explanation

Apache Camel's Validation Component is vulnerable to Server Side Request Forgery(SSRF). The createSchemaFactory() method in the SchemaReader.class file doesn't validate for XML External Entities. A remote attacker can use this flaw to inject XML documents with remote DTD URLs or XML External Entities (XXE), which leads to Server Side Request Forgery(SSRF).

No non-vulnerable version available

Description from CVE No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader. Explanation

Apache Zookeeper is vulnerable to Insufficient Authorization. The connectToLeader() method in the Learner class connects to “Leader” servers without ensuring that the server's host name matches the address used by the Socket when establishing the connection, and without requiring authentication or authorization. An attacker with access to the Zookeeper quorum can exploit this vulnerability to connect an unauthorized host to the quorum. The attacker could then propagate changes from the malicious host to the “Leader” server, potentially leading to further attacks.

Description from CVE WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames. Explanation

Due to a flaw in the WebSocket08FrameDecoder implementation, Netty is prone to denial of service (DoS) attacks. An out-of-memory error occurs in the WebSocket08FrameDecoder implementation while processing a TextWebSocketFrame that is followed by a long stream of ContinuationWebSocketFrames.

Description from CVE In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss. Explanation

Apache Kafka is vulnerable to Information Exposure. The handleFetchRequest method of the KafkaApis.scala file does not check authorizations correctly when handling Fetch requests for replication. This allows malicious consumers to impersonate brokers. An authenticated attacker can forge Fetch requests that contain a broker ID and therefore confuse the cluster. When the payload executes, it can cause multiple security issues.

Description from CVE FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization. Explanation

jackson-databind is vulnerable to Server-Side Request Forgery (SSRF) via Deserialization of Untrusted Data. The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in the execution of SSRF attacks if the application attempts to deserialize it.

Description from CVE FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. Explanation

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Description from CVE FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. Explanation

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Description from CVE FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. Explanation

jackson-databind is vulnerable to XML eXternal Entity (XXE) attacks via Deserialization of Untrusted Data. The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in the execution of XXE attacks if the application attempts to deserialize it.

Explanation

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Description from CVE Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Databind that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. Explanation

The FasterXML jackson-datatype-jsr310 package contains a Denial of Service (DoS) vulnerability. The deserialize() method in the DurationDeserializer class and the _fromDecimal() method in the InstantDeserializer class allow arbitrarily large BigDecimal initialization values. A remote attacker can exploit this vulnerability by crafting and submitting a request that causes the application to deserialize an inordinately large value, causing the application to hang and leading to a DoS situation.

Description from CVE Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable. Explanation

The Spring Framework is vulnerable to Denial of Service (DoS). The toResourceRegions() and parseRanges() methods in the HttpRange class process range requests with a large number of extensive ranges which can overlap causing additional resource consumption. An attacker can exploit this vulnerability by submitting a request with a malicious range header that includes overlapping and/or extensive ranges which exhaust the server's resources leading to a DoS.

Description from CVE In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.

Description from CVE Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose internal IP addresses to remote attackers. Explanation

The undertow-core package is vulnerable to Information Exposure. The getHostAndPort() method in the HttpServerExchange class exposes an internal IP address via the Location header during a 302 redirect if the host header field is not set. A remote attacker can exploit this issue by submitting a GET request that results in a 302 redirect response. The attacker can leverage this vulnerability to exfiltrate an internal IP address that can potentially be used for further attacks.

Description from CVE An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests. Explanation

The undertow package is vulnerable to Denial-of-Service (DoS). The processWrite() method in the HttpResponseConduit Java class file does not restrict the buffer allocation size. An attacker can exploit this vulnerability by crafting a request that consists of a large header size and sending it to the server. The request, once processed, would exceed the allocated buffer size resulting in an application crash or unintended behavior.

c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

Impacted method/class not used.

Workaround: Do not use the default typing. Instead you will need to implement your own.

It is also possible to customize global defaulting, using ObjectMapper.setDefaultTyping(…) – you just have to implement your own TypeResolverBuilder (which is not very difficult); and by doing so, can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers.

The application is vulnerable by using this component when WRITE_BIGDECIMAL_AS_PLAIN is explicitly enabled. By default, WRITE_BIGDECIMAL_AS_PLAIN is disabled

jackson-core is vulnerable to Denial of Service (DoS). The _reportInvalidToken() function in the UTF8StreamJsonParser and ReaderBasedJsonParser classes allows large amounts of extraneous data to be printed to the server log

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.

 jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The FasterXML jackson-datatype-jsr310 package contains a Denial of Service (DoS) vulnerability. The deserialize() method in the DurationDeserializer class and the _fromDecimal() method in the InstantDeserializer class allow arbitrarily large BigDecimal initialization values. A remote attacker can exploit this vulnerability by crafting and submitting a request that causes the application to deserialize an inordinately large value, causing the application to hang and leading to a DoS situation.

The application is vulnerable by using the DurationDeserializer or InstantDeserializer classes of this component to deserialize untrusted data.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.

Workaround: Do not use the default typing. Instead you will need to implement your own.

It is also possible to customize global defaulting, using ObjectMapper.setDefaultTyping(…) – you just have to implement your own TypeResolverBuilder (which is not very difficult); and by doing so, can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers.

 Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class

The application is vulnerable by using this component if it uses Java deserialization or GWT-RPC to deserialize untrusted data.

 jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Do not use the default typing. Instead you will need to implement your own.

It is also possible to customize global defaulting, using ObjectMapper.setDefaultTyping(…) – you just have to implement your own TypeResolverBuilder (which is not very difficult); and by doing so, can actually configure all

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.

 jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The FasterXML jackson-datatype-jsr310 package contains a Denial of Service (DoS) vulnerability. The deserialize() method in the DurationDeserializer class and the _fromDecimal() method in the InstantDeserializer class allow arbitrarily large BigDecimal initialization values. A remote attacker can exploit this vulnerability by crafting and submitting a request that causes the application to deserialize an inordinately large value, causing the application to hang and leading to a DoS situation.

The application is vulnerable by using the DurationDeserializer or InstantDeserializer classes of this component to deserialize untrusted data.

 The spring-security-web package is vulnerable to Cross-Site Request Forgery (CSRF). The doFilter() method in the SwitchUserFilter, which is reachable via a GET request, does not require any form of confirmation that the user sending the request intended to do so

Not applicable; as the specified method is not invoked

sonatype-2015-0090 - libphonenumber - A Cross Site Scripting vulnerability was found which is exploitable by manipulating the inputs

Not applicable

 JavaMail is vulnerable to Information Exposure. The getUniqueMessageIDValue() method in the UniqueValue class file appends the username and the hostname of the Java process when generating the Message-Id for an email. This can lead to unintended information leakage in the email headers and potentially lead to security issues.

Not applicable; as the specified method is not invoked

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9,

Workaround: Do not use the default typing. Instead you will need to implement your own.

It is also possible to customize global defaulting, using ObjectMapper.setDefaultTyping(…) – you just have to implement your own TypeResolverBuilder (which is not very difficult); and by doing so, can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers.

The FasterXML jackson-datatype-jsr310 package contains a Denial of Service (DoS) vulnerability. The deserialize() method in the DurationDeserializer class and the _fromDecimal() method in the InstantDeserializer class allow arbitrarily large BigDecimal initialization values. A remote attacker can exploit this vulnerability by crafting and submitting a request that causes the application to deserialize an inordinately large value, causing the application to hang and leading to a DoS situation.

The application is vulnerable by using the DurationDeserializer or InstantDeserializer classes of this component to deserialize untrusted data.

Description from CVE Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose internal IP addresses to remote attackers. Explanation The undertow-core package is vulnerable to Information Exposure. The getHostAndPort() method in the HttpServerExchange class exposes an internal IP address via the Location header during a 302 redirect if the host header field is not set. A remote attacker can exploit this issue by submitting a GET request that results in a 302 redirect response. The attacker can leverage this vulnerability to exfiltrate an internal IP address that can potentially be used for further attacks.

Description from CVE An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests. Explanation The undertow package is vulnerable to Denial-of-Service (DoS). The processWrite() method in the HttpResponseConduit Java class file does not restrict the buffer allocation size. An attacker can exploit this vulnerability by crafting a request that consists of a large header size and sending it to the server. The request, once processed, would exceed the allocated buffer size resulting in an application crash or unintended behavior.

Description from CVE Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose internal IP addresses to remote attackers. Explanation The undertow-core package is vulnerable to Information Exposure. The getHostAndPort() method in the HttpServerExchange class exposes an internal IP address via the Location header during a 302 redirect if the host header field is not set. A remote attacker can exploit this issue by submitting a GET request that results in a 302 redirect response. The attacker can leverage this vulnerability to exfiltrate an internal IP address that can potentially be used for further attacks.

Description from CVE An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests. Explanation The undertow package is vulnerable to Denial-of-Service (DoS). The processWrite() method in the HttpResponseConduit Java class file does not restrict the buffer allocation size. An attacker can exploit this vulnerability by crafting a request that consists of a large header size and sending it to the server. The request, once processed, would exceed the allocated buffer size resulting in an application crash or unintended behavior.

Found a License in the 'Use Restrictions' License Threat Group

Likely false positive identified in the tool

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.

Workaround: Do not use the default typing. Instead you will need to implement your own.

It is also possible to customize global defaulting, using ObjectMapper.setDefaultTyping(…) – you just have to implement your own TypeResolverBuilder (which is not very difficult); and by doing so, can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.

 jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The FasterXML jackson-datatype-jsr310 package contains a Denial of Service (DoS) vulnerability. The deserialize() method in the DurationDeserializer class and the _fromDecimal() method in the InstantDeserializer class allow arbitrarily large BigDecimal initialization values. A remote attacker can exploit this vulnerability by crafting and submitting a request that causes the application to deserialize an inordinately large value, causing the application to hang and leading to a DoS situation.

The application is vulnerable by using the DurationDeserializer or InstantDeserializer classes of this component to deserialize untrusted data.

The application is vulnerable by using this component when stripAbsolutePathSpec is false.
You are not vulnerable if you are running the applicable .patch file available in 1.10.1 of rpm.

Apache Xerces-J is vulnerable to a Denial of Service (DoS) attack. The setupCurrentEntity() method in the XMLEntityManager class lacks a connection timeout mechanism. 

 Detection

The application is vulnerable by using this component if you are running any of the following versions of Java:

Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.

 jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The FasterXML jackson-datatype-jsr310 package contains a Denial of Service (DoS) vulnerability. The deserialize() method in the DurationDeserializer class and the _fromDecimal() method in the InstantDeserializer class allow arbitrarily large BigDecimal initialization values. A remote attacker can exploit this vulnerability by crafting and submitting a request that causes the application to deserialize an inordinately large value, causing the application to hang and leading to a DoS situation.

The application is vulnerable by using the DurationDeserializer or InstantDeserializer classes of this component to deserialize untrusted data.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.

 jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The FasterXML jackson-datatype-jsr310 package contains a Denial of Service (DoS) vulnerability. The deserialize() method in the DurationDeserializer class and the _fromDecimal() method in the InstantDeserializer class allow arbitrarily large BigDecimal initialization values. A remote attacker can exploit this vulnerability by crafting and submitting a request that causes the application to deserialize an inordinately large value, causing the application to hang and leading to a DoS situation.

The application is vulnerable by using the DurationDeserializer or InstantDeserializer classes of this component to deserialize untrusted data.