Total
56 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-36185 | 4 Debian, Fasterxml, Netapp and 1 more | 45 Debian Linux, Jackson-databind, Cloud Backup and 42 more | 2022-09-02 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. | |||||
| CVE-2020-36184 | 4 Debian, Fasterxml, Netapp and 1 more | 45 Debian Linux, Jackson-databind, Cloud Backup and 42 more | 2022-09-02 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. | |||||
| CVE-2020-36182 | 4 Debian, Fasterxml, Netapp and 1 more | 45 Debian Linux, Jackson-databind, Cloud Backup and 42 more | 2022-09-02 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. | |||||
| CVE-2020-36183 | 4 Debian, Fasterxml, Netapp and 1 more | 45 Debian Linux, Jackson-databind, Cloud Backup and 42 more | 2022-09-02 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. | |||||
| CVE-2020-36181 | 4 Debian, Fasterxml, Netapp and 1 more | 44 Debian Linux, Jackson-databind, Service Level Manager and 41 more | 2022-09-02 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. | |||||
| CVE-2020-35728 | 4 Debian, Fasterxml, Netapp and 1 more | 40 Debian Linux, Jackson-databind, Service Level Manager and 37 more | 2022-09-02 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). | |||||
| CVE-2020-17521 | 3 Apache, Netapp, Oracle | 20 Atlas, Groovy, Snapcenter and 17 more | 2022-07-25 | 2.1 LOW | 5.5 MEDIUM |
| Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2. | |||||
| CVE-2019-10086 | 6 Apache, Debian, Fedoraproject and 3 more | 60 Commons Beanutils, Nifi, Debian Linux and 57 more | 2022-07-25 | 7.5 HIGH | 7.3 HIGH |
| In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. | |||||
| CVE-2020-5413 | 2 Oracle, Vmware | 8 Banking Corporate Lending Process Management, Banking Credit Facilities Process Management, Banking Supply Chain Finance and 5 more | 2022-05-12 | 7.5 HIGH | 9.8 CRITICAL |
| Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code. | |||||
| CVE-2020-11979 | 4 Apache, Fedoraproject, Gradle and 1 more | 37 Ant, Fedora, Gradle and 34 more | 2022-05-12 | 5.0 MEDIUM | 7.5 HIGH |
| As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process. | |||||
| CVE-2020-6950 | 2 Eclipse, Oracle | 9 Mojarra, Banking Enterprise Default Management, Banking Platform and 6 more | 2022-05-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter. | |||||
| CVE-2019-17091 | 2 Eclipse, Oracle | 23 Mojarra, Application Testing Suite, Banking Enterprise Product Manufacturing and 20 more | 2022-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled. | |||||
| CVE-2020-1945 | 5 Apache, Canonical, Fedoraproject and 2 more | 50 Ant, Ubuntu Linux, Fedora and 47 more | 2022-04-04 | 3.3 LOW | 6.3 MEDIUM |
| Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process. | |||||
| CVE-2020-11113 | 4 Debian, Fasterxml, Netapp and 1 more | 32 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 29 more | 2021-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). | |||||
| CVE-2020-11112 | 4 Debian, Fasterxml, Netapp and 1 more | 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more | 2021-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). | |||||
| CVE-2020-11111 | 4 Debian, Fasterxml, Netapp and 1 more | 25 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 22 more | 2021-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). | |||||
| CVE-2020-10672 | 4 Debian, Fasterxml, Netapp and 1 more | 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more | 2021-12-07 | 6.8 MEDIUM | 8.8 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). | |||||
| CVE-2020-10673 | 4 Debian, Fasterxml, Netapp and 1 more | 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more | 2021-12-07 | 6.8 MEDIUM | 8.8 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). | |||||
| CVE-2020-10968 | 4 Debian, Fasterxml, Netapp and 1 more | 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more | 2021-12-07 | 6.8 MEDIUM | 8.8 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). | |||||
| CVE-2020-10969 | 4 Debian, Fasterxml, Netapp and 1 more | 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more | 2021-12-07 | 6.8 MEDIUM | 8.8 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. | |||||