Page Comparison

Description from CVE An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests. Explanation The undertow package is vulnerable to Denial-of-Service (DoS). The processWrite() method in the HttpResponseConduit Java class file does not restrict the buffer allocation size. An attacker can exploit this vulnerability by crafting a request that consists of a large header size and sending it to the server. The request, once processed, would exceed the allocated buffer size resulting in an application crash or unintended behavior.

Found a License in the 'Use Restrictions' License Threat Group

Likely false positive identified in the tool

 JavaMail is vulnerable to Information Exposure. The getUniqueMessageIDValue() method in the UniqueValue class file appends the username and the hostname of the Java process when generating the Message-Id for an email. This can lead to unintended information leakage in the email headers and potentially lead to security issues.

Not applicable; as the specified method is not invoked

Added 3/20/19 - No non vulnerable version available

False Positive

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.

 jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The FasterXML jackson-datatype-jsr310 package contains a Denial of Service (DoS) vulnerability. The deserialize() method in the DurationDeserializer class and the _fromDecimal() method in the InstantDeserializer class allow arbitrarily large BigDecimal initialization values. A remote attacker can exploit this vulnerability by crafting and submitting a request that causes the application to deserialize an inordinately large value, causing the application to hang and leading to a DoS situation.

The application is vulnerable by using the DurationDeserializer or InstantDeserializer classes of this component to deserialize untrusted data.

 The spring-security-web package is vulnerable to Cross-Site Request Forgery (CSRF). The doFilter() method in the SwitchUserFilter, which is reachable via a GET request, does not require any form of confirmation that the user sending the request intended to do so

Not applicable; as the specified method is not invoked

 Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. 

Upgrade to 5.1.5.RELEASE

Not applicable; as the specified method is not invoked

sonatype-2015-0090 - libphonenumber - A Cross Site Scripting vulnerability was found which is exploitable by manipulating the inputs

Not applicable

 JavaMail is vulnerable to Information Exposure. The getUniqueMessageIDValue() method in the UniqueValue class file appends the username and the hostname of the Java process when generating the Message-Id for an email. This can lead to unintended information leakage in the email headers and potentially lead to security issues.

Not applicable; as the specified method is not invoked

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9,

Workaround: Do not use the default typing. Instead you will need to implement your own.

It is also possible to customize global defaulting, using ObjectMapper.setDefaultTyping(…) – you just have to implement your own TypeResolverBuilder (which is not very difficult); and by doing so, can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers.

The FasterXML jackson-datatype-jsr310 package contains a Denial of Service (DoS) vulnerability. The deserialize() method in the DurationDeserializer class and the _fromDecimal() method in the InstantDeserializer class allow arbitrarily large BigDecimal initialization values. A remote attacker can exploit this vulnerability by crafting and submitting a request that causes the application to deserialize an inordinately large value, causing the application to hang and leading to a DoS situation.

The application is vulnerable by using the DurationDeserializer or InstantDeserializer classes of this component to deserialize untrusted data.

Description from CVE Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose internal IP addresses to remote attackers. Explanation The undertow-core package is vulnerable to Information Exposure. The getHostAndPort() method in the HttpServerExchange class exposes an internal IP address via the Location header during a 302 redirect if the host header field is not set. A remote attacker can exploit this issue by submitting a GET request that results in a 302 redirect response. The attacker can leverage this vulnerability to exfiltrate an internal IP address that can potentially be used for further attacks.

Description from CVE An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests. Explanation The undertow package is vulnerable to Denial-of-Service (DoS). The processWrite() method in the HttpResponseConduit Java class file does not restrict the buffer allocation size. An attacker can exploit this vulnerability by crafting a request that consists of a large header size and sending it to the server. The request, once processed, would exceed the allocated buffer size resulting in an application crash or unintended behavior.

Description from CVE Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose internal IP addresses to remote attackers. Explanation The undertow-core package is vulnerable to Information Exposure. The getHostAndPort() method in the HttpServerExchange class exposes an internal IP address via the Location header during a 302 redirect if the host header field is not set. A remote attacker can exploit this issue by submitting a GET request that results in a 302 redirect response. The attacker can leverage this vulnerability to exfiltrate an internal IP address that can potentially be used for further attacks.

Description from CVE An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests. Explanation The undertow package is vulnerable to Denial-of-Service (DoS). The processWrite() method in the HttpResponseConduit Java class file does not restrict the buffer allocation size. An attacker can exploit this vulnerability by crafting a request that consists of a large header size and sending it to the server. The request, once processed, would exceed the allocated buffer size resulting in an application crash or unintended behavior.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.

 jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The FasterXML jackson-datatype-jsr310 package contains a Denial of Service (DoS) vulnerability. The deserialize() method in the DurationDeserializer class and the _fromDecimal() method in the InstantDeserializer class allow arbitrarily large BigDecimal initialization values. A remote attacker can exploit this vulnerability by crafting and submitting a request that causes the application to deserialize an inordinately large value, causing the application to hang and leading to a DoS situation.

The application is vulnerable by using the DurationDeserializer or InstantDeserializer classes of this component to deserialize untrusted data.

 jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Analysis Note:BBS-ep does not use Jackson for its JSON serialization/deserialization logic (it uses Gson). Jackson databind artifact is only used at runtime by Swagger.

Found a License in the 'Use Restrictions' License Threat Group

Likely false positive identified in the tool

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.

Workaround: Do not use the default typing. Instead you will need to implement your own.

It is also possible to customize global defaulting, using ObjectMapper.setDefaultTyping(…) – you just have to implement your own TypeResolverBuilder (which is not very difficult); and by doing so, can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5

.x.

 jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Workaround: Do not use the default typing. Instead you will need to implement your own.

It is also possible to customize global defaulting, using ObjectMapper.setDefaultTyping(…) – you just have to implement your own TypeResolverBuilder (which is not very difficult); and by doing so, can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers.

Upgrade to 2.9.7 for consistency

 Request Exceptiondcaegen2/services/mappercom.fasterxml.jackson.core:jackson-databind:2.97 

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The FasterXML jackson-datatype-jsr310 package contains a Denial of Service (DoS) vulnerability. The deserialize() method in the DurationDeserializer class and the _fromDecimal() method in the InstantDeserializer class allow arbitrarily large BigDecimal initialization values. A remote attacker can exploit this vulnerability by crafting and submitting a request that causes the application to deserialize an inordinately large value, causing the application to hang and leading to a DoS situation.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.

 jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Workaround: Do not use the default typing. Instead you will need to implement your own.

the DurationDeserializer or InstantDeserializer classes of this component to deserialize untrusted data.

The application is vulnerable by using this component when stripAbsolutePathSpec is false.
You are not vulnerable if you are running the applicable .patch file available in 1.10.1 of rpm.

Apache Xerces-J is vulnerable to a Denial of Service (DoS) attack. The setupCurrentEntity() method in the XMLEntityManager class lacks a connection timeout mechanism. 

 Detection

The application is vulnerable by using this component

Workaround: Do not use the default typing. Instead you will need to implement your own.

if you are running any of the following versions of Java:

Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144

The application is vulnerable by using the DurationDeserializer or InstantDeserializer classes of this component to deserialize untrusted data.

The application is vulnerable by using this component, when stripAbsolutePathSpec is false. You default typing is enabled and passing in untrusted data to be deserialized.

Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running the applicable .patch file available in 1.10.1 of rpm.

Apache Xerces-J is vulnerable to a Denial of Service (DoS) attack. The setupCurrentEntity() method in the XMLEntityManager class lacks a connection timeout mechanism. 

 DetectionSpring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.

 jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The application is vulnerable by using this component if you are running any of the following versions of Java:

Java SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144

, when default typing is enabled and passing in untrusted data to be deserialization.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The FasterXML jackson-datatype-jsr310 package contains a Denial of Service (DoS)

vulnerability. The

deserialize() method in the

DurationDeserializer class and the _fromDecimal() method in the InstantDeserializer class allow arbitrarily large BigDecimal initialization values. A remote attacker can exploit this vulnerability by crafting and submitting a request that causes the application to deserialize an inordinately large value, causing the application to hang and leading to a DoS situation.

The application is vulnerable by using the DurationDeserializer or InstantDeserializer classes of this component to deserialize untrusted data.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.

 jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The FasterXML jackson-datatype-jsr310 package contains a Denial of Service (DoS) vulnerability. The deserialize() method in the DurationDeserializer class and the _fromDecimal() method in the InstantDeserializer class allow arbitrarily large BigDecimal initialization values. A remote attacker can exploit this vulnerability by crafting and submitting a request that causes the application to deserialize an inordinately large value, causing the application to hang and leading to a DoS situation.The application is vulnerable by using the DurationDeserializer or InstantDeserializer classes of this component to deserialize untrusted data.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.xto hang and leading to a DoS situation.

The application is vulnerable by using the DurationDeserializer or InstantDeserializer classes of this component to deserialize untrusted data.

 jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.

Workaround: Do not use the default typing. Instead you will need to implement your own.

The FasterXML jackson-datatype-jsr310 package contains a Denial of Service (DoS) vulnerability. The deserialize() method in the DurationDeserializer class and the _fromDecimal() method in the InstantDeserializer class allow arbitrarily large BigDecimal initialization values. A remote attacker can exploit this vulnerability by crafting and submitting a request that causes the application to deserialize an inordinately large value, causing the application to hang and leading to a DoS situation.

The application is vulnerable by using the DurationDeserializer or InstantDeserializer classes of this component to deserialize untrusted data.

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.

Workaround: Do not use the default typing. Instead you will need to implement your own.

It is also possible to customize global defaulting, using ObjectMapper.setDefaultTyping(…) – you just have to implement your own TypeResolverBuilder (which is not very difficult); and by doing so, can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlersIt is also possible to customize global defaulting, using ObjectMapper.setDefaultTyping(…) – you just have to implement your own TypeResolverBuilder (which is not very difficult); and by doing so, can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers.

Remove this dependency if workaround exist; if not upgrade to 2.9.8

Remove this dependency if workaround exist; if not upgrade to 2.9.8

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

The postgresql package is vulnerable to Man-in-the-Middle (MitM) attacks.  When using a non-default SSL Factory, the postgresql jdbc doesn't validate the hostname of SSL certificates.  An attacker can potentially exploit this behavior to perform a MitM attack.

The postgresql package is vulnerable to Man-in-the-Middle (MitM) attacks.  When using a non-default SSL Factory, the postgresql jdbc doesn't validate the hostname of SSL certificates.  An attacker can potentially exploit this behavior to perform a MitM attack.

 Switch to 42.2.5

Switch to 5.0.11.RELEASE

The Spring spring-data-jpa package is vulnerable to Information Disclosure. The postProcess() method in the JpaRepositoryConfigExtension class, the build() method in the JpaQueryCreator$PredicateBuilder class, the create() method in the JpaQueryLookupStrategy() class, the next() method in the ParameterMetadataProvider class, the prepare() method in the ParameterMetadataProvider$ParameterMetadata class, the createCreator() method in the PartTreeJpaQuery$QueryPreparer class, the getQueryLookupStrategy() method in the JpaRepositoryFactory class, and the createRepositoryFactory() method in the JpaRepositoryBean class allow control characters in LIKE expressions.

The dom4j package is vulnerable to XML Injection. The QName() function in the QName class file does not properly sanitize the QName input attribute value(s). A remote attacker can exploit this vulnerability by injecting an XML object that contains arbitrary code in the element and attribute names, hence leading to XML Injection.