-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Findings for Critical #15
Comments
Finding [141965004|https://app.armorcode.com/#/findings/185/656/141965004] status changed from Open to Confirmed |
Finding [141965083|https://app.armorcode.com/#/findings/185/656/141965083] status changed from Open to Confirmed |
Finding [141965031|https://app.armorcode.com/#/findings/185/656/141965031] status changed from Open to Confirmed |
Finding [141965085|https://app.armorcode.com/#/findings/185/656/141965085] status changed from Open to Confirmed |
Finding [141965009|https://app.armorcode.com/#/findings/185/656/141965009] status changed from Open to Confirmed |
Finding [141965003|https://app.armorcode.com/#/findings/185/656/141965003] status changed from Open to Confirmed |
Finding [141965030|https://app.armorcode.com/#/findings/185/656/141965030] status changed from Open to Confirmed |
Finding [141965026|https://app.armorcode.com/#/findings/185/656/141965026] status changed from Open to Confirmed |
Finding [141965047|https://app.armorcode.com/#/findings/185/656/141965047] status changed from Open to Confirmed |
Finding [141965060|https://app.armorcode.com/#/findings/185/656/141965060] status changed from Open to Confirmed |
Finding [141965000|https://app.armorcode.com/#/findings/185/656/141965000] status changed from Open to Confirmed |
Finding [141965036|https://app.armorcode.com/#/findings/185/656/141965036] status changed from Open to Confirmed |
Finding [141964998|https://app.armorcode.com/#/findings/185/656/141964998] status changed from Open to Confirmed |
Finding [141965042|https://app.armorcode.com/#/findings/185/656/141965042] status changed from Open to Confirmed |
Finding [141965032|https://app.armorcode.com/#/findings/185/656/141965032] status changed from Open to Confirmed |
Finding [141965045|https://app.armorcode.com/#/findings/185/656/141965045] status changed from Open to Confirmed |
Finding [141965033|https://app.armorcode.com/#/findings/185/656/141965033] status changed from Open to Confirmed |
Finding [141965006|https://app.armorcode.com/#/findings/185/656/141965006] status changed from Open to Confirmed |
Finding [141965034|https://app.armorcode.com/#/findings/185/656/141965034] status changed from Open to Confirmed |
Finding [141965001|https://app.armorcode.com/#/findings/185/656/141965001] status changed from Open to Confirmed |
Finding [141965044|https://app.armorcode.com/#/findings/185/656/141965044] status changed from Open to Confirmed |
Finding [141965007|https://app.armorcode.com/#/findings/185/656/141965007] status changed from Open to Confirmed |
Finding [141965039|https://app.armorcode.com/#/findings/185/656/141965039] status changed from Open to Confirmed |
Finding [141965038|https://app.armorcode.com/#/findings/185/656/141965038] status changed from Open to Confirmed |
Finding [141965037|https://app.armorcode.com/#/findings/185/656/141965037] status changed from Open to Confirmed |
Findings for Critical
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
References:
XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code.
References:
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
References:
Regular expression in ParametersInterceptor matches top'foo' as a valid expression, which OGNL treats as (top['foo'])(0) and evaluates the value of 'foo' action parameter as an OGNL expression. This lets malicious users put arbitrary OGNL statements into any String variable exposed by an action and have it evaluated as an OGNL expression and since OGNL statement is in HTTP parameter value attacker can use blacklisted characters (e.g. #) to disable method execution and execute arbitrary methods, bypassing the ParametersInterceptor and OGNL library protections.
References:
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
References:
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
References:
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
References:
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
References:
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
References:
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.
References:
jackson-databind in versions prior to 2.8.10 and 2.9.1, contain a deserialization flaw which allows an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525, blacklisting additonal vulnerable classes.
References:
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
References:
In Apache Struts 2.0.1 through 2.3.33 and 2.5 through 2.5.10, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
References:
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
References:
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
References:
FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
References:
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
References:
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
References:
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
References:
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
References:
FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
References:
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
References:
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
References:
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
References:
FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
References:
The text was updated successfully, but these errors were encountered: