You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.
Path to dependency file: /duelinvaders/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.1/jackson-databind-2.12.1.jar
Found in HEAD commit: 71165cfdf2e2f0ec68fa394fe17d5b9d7eec763f
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
Vulnerable Library - jackson-databind-2.12.1.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /duelinvaders/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.1/jackson-databind-2.12.1.jar
Dependency Hierarchy:
Found in HEAD commit: 71165cfdf2e2f0ec68fa394fe17d5b9d7eec763f
Found in base branch: main
Vulnerability Details
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Publish Date: 2022-10-02
URL: CVE-2022-42004
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.13.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.12.1.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /duelinvaders/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.1/jackson-databind-2.12.1.jar
Dependency Hierarchy:
Found in HEAD commit: 71165cfdf2e2f0ec68fa394fe17d5b9d7eec763f
Found in base branch: main
Vulnerability Details
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
Publish Date: 2022-10-02
URL: CVE-2022-42003
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.7.1,2.13.4.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.12.1.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /duelinvaders/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.1/jackson-databind-2.12.1.jar
Dependency Hierarchy:
Found in HEAD commit: 71165cfdf2e2f0ec68fa394fe17d5b9d7eec763f
Found in base branch: main
Vulnerability Details
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.
Publish Date: 2022-03-11
URL: CVE-2020-36518
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-03-11
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.6.1,2.13.2.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - jackson-databind-2.12.1.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /duelinvaders/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.1/jackson-databind-2.12.1.jar
Dependency Hierarchy:
Found in HEAD commit: 71165cfdf2e2f0ec68fa394fe17d5b9d7eec763f
Found in base branch: main
Vulnerability Details
FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.
Publish Date: 2021-11-20
URL: WS-2021-0616
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-11-20
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.6, 2.13.1; com.fasterxml.jackson.core:jackson-core:2.12.6, 2.13.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - kotlin-stdlib-1.5.10-modular.jar
Kotlin Standard Library for JVM
Library home page: https://kotlinlang.org/
Path to dependency file: /duelinvaders/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.5.10/kotlin-stdlib-1.5.10-modular.jar
Dependency Hierarchy:
Found in HEAD commit: 71165cfdf2e2f0ec68fa394fe17d5b9d7eec763f
Found in base branch: main
Vulnerability Details
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
Publish Date: 2022-02-25
URL: CVE-2022-24329
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-2qp4-g3q3-f92w
Release Date: 2022-02-25
Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.6.0-M1
Direct dependency fix Resolution (com.github.almasb:fxgl): 17.2
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: