El Alto ExtAPI Security/Vulnerability Report

Owned by Amy Zwarico
Nov 02, 2019
1 min read

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.



Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

externalapi-nbi

com.fasterxml.jackson.core

N/A

Ineffective



DefaultTyping is disabled, polymorphism with default typing or manual setting by property are not used in NBI.



Spring security not used

Yes

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, and CVE-2018-14721. Evidence of this can be found at https://pivotal.io/security/cve-2017-4995. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Check the incoming 2.10.x which is available as pre release for the moment