[Apiiro] 3 risks

[apiiro-staging]

July 1 agg

Discovered on: Mar 10, 2024 14:21
Dependency: org.springframework:spring-web
Version:
Type: Direct
Introduced through:

• org.springframework:spring-web: 4.1.6.RELEASE

Vulnerabilities

• Pivotal Spring Framework DoS Attack with XML Input with CVSS score 5.5. fixed version: 4.1.7
• Spring Web vulnerable to Open Redirect or Server Side Request Forgery with CVSS score 8.100000381469727. fixed version: 5.3.0
• Pivotal Spring Framework contains unsafe Java deserialization methods with CVSS score 9.800000190734863. fixed version: 6.0.0
• Spring Framework URL Parsing with Host Validation Vulnerability with CVSS score 8.100000381469727. fixed version: 5.3.33
• Spring Framework URL Parsing with Host Validation with CVSS score 8.100000381469727. fixed version: 5.3.34
• Spring Framework RFD Protection Bypass Vulnerability with CVSS score 6.5. fixed version: 4.3.29
• Spring Framework Reflected File Download Vulnerability with CVSS score 9.600000381469727. fixed version: 4.1.8

About this package:

External dependency: org.springframework:spring-web - https://github.com/spring-projects/spring-framework
Package details: Spring Web
Latest version: 6.1.10
License: Apache-2.0
Insights:

• Backed by foundation - This package is backed by a respected OSS foundation and adheres to its maintenance standards
• Frequent commits - New code commits are frequently being pushed
• Has vulnerabilities - One or more vulnerabilities have been reported for this package

Remediation

Upgrade to org.springframework:spring-web@6.0.19:

1. Go to common/pom.xml
2. Replace vulnerable version 4.1.6.RELEASE with fix version 6.0.19
   View in Apiiro

Discovered on: Mar 10, 2024 15:57
Dependency: com.fasterxml.jackson.core:jackson-databind
Version:
Type: Direct
Introduced through:

• com.fasterxml.jackson.core:jackson-databind: 2.6.5

Vulnerabilities

• Serialization gadget exploit in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.9.10.8
• SSRF Vulnerability in FasterXML jackson-databind with CVSS score 10. fixed version: 2.6.7.2
• XXE Vulnerability in FasterXML jackson-databind 2.x with CVSS score 9.800000190734863. fixed version: 2.6.7.2
• Unspecified Impact Vulnerability in FasterXML jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• Unspecified Impact Vulnerability in FasterXML jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• Denial of Service Vulnerability in jackson-databind with CVSS score 4.699999809265137. fixed version: 2.16.0
• Deeply nested json in jackson-databind with CVSS score 7.5. fixed version: 2.12.6.1
• Code Injection in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.9.10.6
• jackson-databind is vulnerable to a deserialization flaw with CVSS score 9.800000190734863. fixed version: 2.6.7.1
• Polymorphic deserialization of malicious object in jackson-databind with CVSS score 7.5. fixed version: 2.6.7.3
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Deserialization of Untrusted Data in jackson-databind with CVSS score 9.800000190734863. fixed version: 2.7.9.7
• Deserialization of Untrusted Data in jackson-databind with CVSS score 9.800000190734863. fixed version: 2.7.9.7
• jackson-databind before 2.9.10.4 vulnerable to unsafe deserialization with CVSS score 8.100000381469727. fixed version: 2.9.10.5
• Serialization gadgets exploit in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.9.10.8
• Serialization gadgets exploit in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.9.10.8
• Deserialization of Untrusted Data in jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• jackson-databind Deserialization of Untrusted Data vulnerability with CVSS score 7.5. fixed version: 2.6.7.3
• Arbitrary Code Execution in jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• XML External Entity (XXE) Injection in Jackson Databind with CVSS score 7.5. fixed version: 2.6.7.4
• Uncontrolled Resource Consumption in Jackson-databind with CVSS score 7.5. fixed version: 2.12.7.1
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Deserialization of untrusted data in FasterXML jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• jackson-databind polymorphic typing issue with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• Polymorphic Typing issue in FasterXML jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• jackson-databind polymorphic typing issue with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• Deserialization of untrusted data in FasterXML jackson-databind with CVSS score 7.5. fixed version: 2.6.7.3
• Polymorphic Typing issue in FasterXML jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• Arbitrary Code Execution in jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• Deserialization of untrusted data in FasterXML jackson-databind with CVSS score 5.900000095367432. fixed version: 2.6.7.3
• Information exposure in FasterXML jackson-databind with CVSS score 7.5. fixed version: 2.6.7.3
• com.fasterxml.jackson.core:jackson-databind vulnerable to Deserialization of Untrusted Data with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• Polymorphic Typing in FasterXML jackson-databind with CVSS score 9.800000190734863. fixed version: 2.6.7.3
• Deserialization of Untrusted Data in FasterXML jackson-databind with CVSS score 5.900000095367432. fixed version: 2.6.7.3
• jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution with CVSS score 9.800000190734863. fixed version: 2.6.7.2
• Unsafe Deserialization in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• FasterXML jackson-databind allows unauthenticated remote code execution with CVSS score 9.800000190734863. fixed version: 2.7.9.3
• Deserialization of untrusted data in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.5
• Improper Input Validation in jackson-databind with CVSS score 9.800000190734863. fixed version: 2.8.11.5
• jackson-databind mishandles the interaction between serialization gadgets and typing with CVSS score 8.800000190734863. fixed version: 2.6.7.4
• jackson-databind mishandles the interaction between serialization gadgets and typing with CVSS score 9.800000190734863. fixed version: 2.7.9.7
• jackson-databind mishandles the interaction between serialization gadgets and typing with CVSS score 9.800000190734863. fixed version: 2.7.9.7
• Deserialization of Untrusted Data in jackson-databind with CVSS score 8.100000381469727. fixed version: 2.6.7.3
• Uncontrolled Resource Consumption in FasterXML jackson-databind with CVSS score 7.5. fixed version: 2.12.7.1

About this package:

External dependency: com.fasterxml.jackson.core:jackson-databind - https://github.com/FasterXML/jackson
Package details: General data-binding functionality for Jackson: works on core streaming API
Latest version: 2.17.1
License: Apache-2.0
Insights:

• Frequent commits - New code commits are frequently being pushed
• Historical CVEs - This package had at least two critical or high CVEs in two consecutive years
• Has vulnerabilities - One or more vulnerabilities have been reported for this package
• High EPSS - This package has one vulnerability that is highly likely to be exploited according to the EPSS algorithm
• Exploit POC - This package has 5 vulnerabilities with proof of concept exploits.

Remediation

Upgrade to com.fasterxml.jackson.core:jackson-databind@2.16.0:

1. Go to api2-model/pom.xml
2. Replace vulnerable version 2.6.5 with fix version 2.16.0
   View in Apiiro

Discovered on: Mar 10, 2024 15:51
Dependency: org.codehaus.jackson:jackson-mapper-asl
Version: 1.9.13
Type: Sub dependency
Introduced through:

• org.codehaus.jackson:jackson-xc: 1.9.13 > org.codehaus.jackson:jackson-mapper-asl: 1.9.13

Vulnerabilities

• Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-asl with CVSS score 9.800000190734863.
• Improper Restriction of XML External Entity Reference in jackson-mapper-asl with CVSS score 7.5.

About this package:

External dependency: org.codehaus.jackson:jackson-mapper-asl - http://jackson.codehaus.org
Package details: Data Mapper package is a high-performance data binding package
built on Jackson JSON processor

Latest version: 1.9.13
License: Apache-2.0
Insights:

• Not fixable - This package includes a CVE that has not been fixed by an official release or patch
• Current CVE - A CVE on this package has not been fixed by an official release/patch
• Single maintainer - This package is maintained by a single developer
• Has vulnerabilities - One or more vulnerabilities have been reported for this package
• Exploit POC - This package has 1 vulnerabilities with proof of concept exploits.

Remediation

No remediation available.
View in Apiiro