You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (18 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
The MyBatis SQL mapper framework makes it easier to use a relational database with object-oriented
applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or
annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping
tools.
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
Json-smart is a performance focused, JSON processor lib.
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.
It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
mend-for-github-combot
changed the title
camunda-message-streaming-0.6.8-SNAPSHOT.jar: 22 vulnerabilities (highest severity is: 9.8)
camunda-message-streaming-0.6.8-SNAPSHOT.jar: 22 vulnerabilities (highest severity is: 9.8) reachable
Dec 18, 2024
mend-for-github-combot
changed the title
camunda-message-streaming-0.6.8-SNAPSHOT.jar: 22 vulnerabilities (highest severity is: 9.8) reachable
camunda-message-streaming-0.6.8-SNAPSHOT.jar: 24 vulnerabilities (highest severity is: 9.8) reachable
Dec 22, 2024
mend-for-github-combot
changed the title
camunda-message-streaming-0.6.8-SNAPSHOT.jar: 24 vulnerabilities (highest severity is: 9.8) reachable
camunda-message-streaming-0.6.8-SNAPSHOT.jar: 25 vulnerabilities (highest severity is: 9.8) reachable
Dec 24, 2024
mend-for-github-combot
changed the title
camunda-message-streaming-0.6.8-SNAPSHOT.jar: 25 vulnerabilities (highest severity is: 9.8) reachable
camunda-message-streaming-0.6.8-SNAPSHOT.jar: 24 vulnerabilities (highest severity is: 9.8) reachable
Jan 24, 2025
mend-for-github-combot
changed the title
camunda-message-streaming-0.6.8-SNAPSHOT.jar: 24 vulnerabilities (highest severity is: 9.8) reachable
camunda-message-streaming-0.6.8-SNAPSHOT.jar: 25 vulnerabilities (highest severity is: 9.8) reachable
Jan 24, 2025
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - dom4j-2.1.1.jar
flexible XML framework for Java
Library home page: http://dom4j.github.io/
Path to dependency file: /messaging-kafka/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/dom4j/dom4j/2.1.1/dom4j-2.1.1.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
Publish Date: 2020-05-01
URL: CVE-2020-10683
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-05-01
Fix Resolution: org.dom4j:dom4j:2.1.3,org.dom4j:dom4j:2.0.3
Vulnerable Library - snakeyaml-1.25.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /messaging/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Publish Date: 2022-12-01
URL: CVE-2022-1471
CVSS 3 Score Details (8.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374
Release Date: 2022-12-01
Fix Resolution: org.yaml:snakeyaml:2.0
Vulnerable Library - mybatis-3.4.4.jar
The MyBatis SQL mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools.
Library home page: http://www.mybatis.org/
Path to dependency file: /messaging/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.4.4/mybatis-3.4.4.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
MyBatis before 3.5.6 mishandles deserialization of object streams.
Publish Date: 2020-10-10
URL: CVE-2020-26945
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-10-10
Fix Resolution: org.mybatis:mybatis:3.5.6
Vulnerable Library - gson-2.8.6.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /messaging/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-10-11
Fix Resolution: com.google.code.gson:gson:2.8.9
Vulnerable Library - gson-2.8.6.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /messaging/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution: com.google.code.gson:gson:gson-parent-2.8.9
Vulnerable Library - json-smart-2.3.jar
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
Library home page: http://www.minidev.net/
Path to dependency file: /messaging-kafka/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/net/minidev/json-smart/2.3/json-smart-2.3.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
Json-smart is a performance focused, JSON processor lib.
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.
It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
Publish Date: 2023-03-13
URL: CVE-2023-1370
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
Release Date: 2023-03-13
Fix Resolution: net.minidev:json-smart:2.4.9
Vulnerable Library - snakeyaml-1.25.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /messaging/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
Publish Date: 2022-08-30
URL: CVE-2022-25857
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857
Release Date: 2022-08-30
Fix Resolution: org.yaml:snakeyaml:1.31
Vulnerable Library - snakeyaml-1.25.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /messaging/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Publish Date: 2019-12-12
URL: CVE-2017-18640
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
Release Date: 2019-12-12
Fix Resolution: org.yaml:snakeyaml:1.26
Vulnerable Library - hibernate-core-5.4.12.Final.jar
Hibernate's core ORM functionality
Library home page: http://hibernate.org
Path to dependency file: /messaging/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/5.4.12.Final/hibernate-core-5.4.12.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
Publish Date: 2020-12-02
URL: CVE-2020-25638
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://in.relation.to/2020/11/19/hibernate-orm-5424-final-release/
Release Date: 2020-12-02
Fix Resolution: org.hibernate:hibernate-core:5.3.20.Final,5.4.24.Final
Vulnerable Library - logback-core-1.2.3.jar
logback-core module
Library home page: http://www.qos.ch
Path to dependency file: /webapp/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Publish Date: 2023-12-04
URL: CVE-2023-6481
CVSS 3 Score Details (7.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481
Release Date: 2023-12-04
Fix Resolution: ch.qos.logback:logback-core:1.2.13,1.3.14,1.4.14
Vulnerable Library - logback-classic-1.2.3.jar
logback-classic module
Library home page: http://www.qos.ch
Path to dependency file: /messaging-kafka/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Publish Date: 2023-11-29
URL: CVE-2023-6378
CVSS 3 Score Details (7.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://logback.qos.ch/news.html#1.3.12
Release Date: 2023-11-29
Fix Resolution: ch.qos.logback:logback-classic:1.3.12,1.4.12
Vulnerable Libraries - logback-core-1.2.3.jar, logback-classic-1.2.3.jar
logback-core-1.2.3.jar
logback-core module
Library home page: http://www.qos.ch
Path to dependency file: /webapp/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
Dependency Hierarchy:
logback-classic-1.2.3.jar
logback-classic module
Library home page: http://www.qos.ch
Path to dependency file: /messaging-kafka/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.
Publish Date: 2021-12-16
URL: CVE-2021-42550
CVSS 3 Score Details (6.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550
Release Date: 2021-12-16
Fix Resolution: ch.qos.logback:logback-classic:1.2.9;ch.qos.logback:logback-core:1.2.9
Vulnerable Library - snakeyaml-1.25.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /messaging/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Publish Date: 2022-09-05
URL: CVE-2022-38752
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-9w3m-gqgf-c4p9
Release Date: 2022-09-05
Fix Resolution: org.yaml:snakeyaml:1.32
Vulnerable Library - snakeyaml-1.25.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /messaging/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38751
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039
Release Date: 2022-09-05
Fix Resolution: org.yaml:snakeyaml:1.31
Vulnerable Library - snakeyaml-1.25.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /messaging/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38750
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027
Release Date: 2022-09-05
Fix Resolution: org.yaml:snakeyaml:1.31
Vulnerable Library - snakeyaml-1.25.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /messaging/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38749
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027
Release Date: 2022-09-05
Fix Resolution: org.yaml:snakeyaml:1.31
Vulnerable Library - hibernate-core-5.4.12.Final.jar
Hibernate's core ORM functionality
Library home page: http://hibernate.org
Path to dependency file: /messaging/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/5.4.12.Final/hibernate-core-5.4.12.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
Publish Date: 2020-07-06
URL: CVE-2019-14900
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14900
Release Date: 2020-07-06
Fix Resolution: org.hibernate:hibernate-core:5.4.18.Final
Vulnerable Library - jackson-core-2.10.2.jar
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
Library home page: http://fasterxml.com/
Path to dependency file: /webapp/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.10.2/jackson-core-2.10.2.jar
Dependency Hierarchy:
Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0
Found in base branch: develop
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.
Publish Date: 2021-11-20
URL: WS-2021-0616
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-11-20
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.6, 2.13.1; com.fasterxml.jackson.core:jackson-core:2.12.6, 2.13.1
The text was updated successfully, but these errors were encountered: