Snyk - Open Source Security

Snyk test summary

March 3rd 2021, 12:16:05 pm

Scanned the following path:
  • /Users/sanjogpanda/Desktop/firehose (gradle)
127 known vulnerabilities
479 vulnerable dependency paths
195 dependencies
Project firehose
Path /Users/sanjogpanda/Desktop/firehose
Package Manager gradle
Manifest build.gradle

Denial of Service (DoS)

high severity

  • Package Manager: maven
  • Vulnerable module: xerces:xercesImpl
  • Introduced through: firehose@1.0.2, xerces:xerces@2.4.0 and others

Remediation

Upgrade xerces:xercesImpl to version 2.12.0 or higher.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

References

Man-in-the-Middle (MitM)

high severity

  • Package Manager: maven
  • Vulnerable module: org.postgresql:postgresql
  • Introduced through: firehose@1.0.2 and org.postgresql:postgresql@9.4.1212

Remediation

Upgrade org.postgresql:postgresql to version 42.2.5 or higher.

References

XML External Entity (XXE) Injection

high severity

  • Package Manager: maven
  • Vulnerable module: org.postgresql:postgresql
  • Introduced through: firehose@1.0.2 and org.postgresql:postgresql@9.4.1212

Remediation

Upgrade org.postgresql:postgresql to version 42.2.13 or higher.

References

Privilege Escalation

high severity

  • Package Manager: maven
  • Vulnerable module: org.elasticsearch:elasticsearch
  • Introduced through: firehose@1.0.2 and org.elasticsearch:elasticsearch@6.3.1

Remediation

Upgrade org.elasticsearch:elasticsearch to version 5.6.15, 6.6.1 or higher.

References

Information Exposure

high severity

  • Package Manager: maven
  • Vulnerable module: org.elasticsearch:elasticsearch
  • Introduced through: firehose@1.0.2 and org.elasticsearch:elasticsearch@6.3.1

Remediation

Upgrade org.elasticsearch:elasticsearch to version 5.6.12, 6.4.1 or higher.

References

Privilege Escalation

high severity

  • Package Manager: maven
  • Vulnerable module: org.eclipse.jetty:jetty-webapp
  • Introduced through: firehose@1.0.2 and org.eclipse.jetty:jetty-webapp@9.2.13.v20150730

Remediation

Upgrade org.eclipse.jetty:jetty-webapp to version 9.4.33.v20201020, jetty-10.0.0.beta3, 11.0.0.beta3 or higher.

References

Timing Attack

high severity

  • Package Manager: maven
  • Vulnerable module: org.eclipse.jetty:jetty-util
  • Introduced through: firehose@1.0.2, org.eclipse.jetty:jetty-servlets@9.2.13.v20150730 and others

Remediation

Upgrade org.eclipse.jetty:jetty-util to versions 9.2.22, 9.3.20, 9.4.6 or higher.

References

Authorization Bypass

high severity

  • Package Manager: maven
  • Vulnerable module: org.eclipse.jetty:jetty-server
  • Introduced through: firehose@1.0.2, com.github.tomakehurst:wiremock@2.3.1 and others

Remediation

Upgrade org.eclipse.jetty:jetty-server to versions 9.2.25, 9.3.24, 9.4.11 or higher.

References

Cache Poisoning

high severity

  • Package Manager: maven
  • Vulnerable module: org.eclipse.jetty:jetty-server
  • Introduced through: firehose@1.0.2, com.github.tomakehurst:wiremock@2.3.1 and others

Remediation

Upgrade org.eclipse.jetty:jetty-server to version 9.3.24.v20180605, 9.4.11.v20180605 or higher.

References

Cache Poisoning

high severity

  • Package Manager: maven
  • Vulnerable module: org.eclipse.jetty:jetty-http
  • Introduced through: firehose@1.0.2, org.eclipse.jetty:jetty-servlets@9.2.13.v20150730 and others

Remediation

Upgrade org.eclipse.jetty:jetty-http to version 9.3.24.v20180605, 9.4.11.v20180605 or higher.

References

Information Exposure

high severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.61 or higher.

References

Insufficient Validation

high severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References

Insecure Encryption

high severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References

Insecure Encryption

high severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References

Signature Validation Bypass

high severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References

Insecure Encryption

high severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References

Insecure Encryption

high severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References

Denial of Service (DoS)

high severity

  • Package Manager: maven
  • Vulnerable module: org.apache.thrift:libthrift
  • Introduced through: firehose@1.0.2, io.jaegertracing:jaeger-thrift@1.0.0 and others

Remediation

A fix was pushed into the master branch but not yet published.

References

Denial of Service (DoS)

high severity

  • Package Manager: maven
  • Vulnerable module: org.apache.thrift:libthrift
  • Introduced through: firehose@1.0.2, io.jaegertracing:jaeger-thrift@1.0.0 and others

Remediation

Upgrade org.apache.thrift:libthrift to version 0.13.0 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: org.apache.commons:commons-collections4
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade org.apache.commons:commons-collections4 to version 4.1 or higher.

References

HTTP Request Smuggling

high severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.44.Final or higher.

References

HTTP Request Smuggling

high severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.44.Final or higher.

References

Uncontrolled Memory Allocation

high severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

Upgrade io.netty:netty-codec to version 4.1.46.Final or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: firehose@1.0.2 and com.thoughtworks.xstream:xstream@1.3.1

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.14 or higher.

References

XML External Entity (XXE) Injection

high severity

  • Package Manager: maven
  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: firehose@1.0.2 and com.thoughtworks.xstream:xstream@1.3.1

Remediation

Fixed in: 1.4.9

Denial of Service (DoS)

high severity

  • Package Manager: maven
  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: firehose@1.0.2 and com.thoughtworks.xstream:xstream@1.3.1

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.10 or higher.

References

Denial of Service (DoS)

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.dataformat:jackson-dataformat-cbor
  • Introduced through: firehose@1.0.2, org.elasticsearch:elasticsearch-x-content@6.3.1 and others

Remediation

Upgrade com.fasterxml.jackson.dataformat:jackson-dataformat-cbor to version 2.11.4, 2.12.1 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.6 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.4 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.7 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.9, 2.8.11.4, 2.7.9.6, 2.6.7.3 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.1, 2.7.9.1, 2.8.9 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.1, 2.7.9.1, 2.8.10 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.8.11, 2.9.4 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.8.11, 2.9.4 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.8.11.1, 2.9.5 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.9.1, 2.8.11.4, 2.7.9.6 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.9.2, 2.8.11.4, 2.7.9.6 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10, 2.8.11.5, 2.6.7.3 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.1, 2.8.11.5, 2.6.7.3 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.1 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.2 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.7.9.7, 2.8.11.5, 2.9.10.3 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3, 2.8.11.5, 2.9.10.3 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.4 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.4 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.7.9.7, 2.8.11.6, 2.9.10.4 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.4 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.4 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.4 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.4 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.4 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.4 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.5 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.5 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.5 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.5 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.6 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.5 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3, 2.7.9.4, 2.8.11.2, 2.9.6 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.7 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.

References

Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3, 2.7.9.5, 2.8.11.3, 2.9.8 or higher.

References

Arbitrary Code Execution

high severity

  • Package Manager: maven
  • Vulnerable module: ch.qos.logback:logback-core
  • Introduced through: firehose@1.0.2, ch.qos.logback:logback-classic@1.1.7 and others

Remediation

Upgrade ch.qos.logback:logback-core to version 1.1.11 or higher.

References

Arbitrary Code Execution

high severity

  • Package Manager: maven
  • Vulnerable module: ch.qos.logback:logback-classic
  • Introduced through: firehose@1.0.2 and ch.qos.logback:logback-classic@1.1.7

Remediation

Upgrade ch.qos.logback:logback-classic to version 1.2.0 or higher.

References

Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: xerces:xercesImpl
  • Introduced through: firehose@1.0.2, xerces:xerces@2.4.0 and others

Remediation

Upgrade xerces:xercesimpl to version 2.11.0.SP5 or higher.

References

Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: xerces:xercesImpl
  • Introduced through: firehose@1.0.2, xerces:xerces@2.4.0 and others

Remediation

Upgrade xerces:xercesimpl to version 2.11.0 or higher.

References

Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: xerces:xercesImpl
  • Introduced through: firehose@1.0.2, xerces:xerces@2.4.0 and others

Remediation

Upgrade xerces:xercesimpl to version 2.10.0 or higher.

References

Improper Input Validation

medium severity

  • Package Manager: maven
  • Vulnerable module: xerces:xercesImpl
  • Introduced through: firehose@1.0.2, xerces:xerces@2.4.0 and others

Remediation

Upgrade xerces:xercesimpl to version 2.12.0.SP03 or higher.

References

Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: org.yaml:snakeyaml
  • Introduced through: firehose@1.0.2, org.elasticsearch:elasticsearch-x-content@6.3.1 and others

Remediation

Upgrade org.yaml:snakeyaml to version 1.26 or higher.

References

Race Condition

medium severity

  • Package Manager: maven
  • Vulnerable module: org.elasticsearch:elasticsearch
  • Introduced through: firehose@1.0.2 and org.elasticsearch:elasticsearch@6.3.1

Remediation

Upgrade org.elasticsearch:elasticsearch to version 6.8.2, 7.2.1 or higher.

References

Cross-site Scripting (XSS)

medium severity

  • Package Manager: maven
  • Vulnerable module: org.eclipse.jetty:jetty-util
  • Introduced through: firehose@1.0.2, org.eclipse.jetty:jetty-servlets@9.2.13.v20150730 and others

Remediation

Upgrade org.eclipse.jetty:jetty-util to version 9.2.27.v20190403, 9.3.26.v20190403, 9.4.16.v20190411 or higher.

References

Information Exposure

medium severity

  • Package Manager: maven
  • Vulnerable module: org.eclipse.jetty:jetty-server
  • Introduced through: firehose@1.0.2, com.github.tomakehurst:wiremock@2.3.1 and others

Remediation

Upgrade org.eclipse.jetty:jetty-server to version 9.2.28.v20190418, 9.3.27.v20190418, 9.4.17.v20190418 or higher.

References

Cross-site Scripting (XSS)

medium severity

  • Package Manager: maven
  • Vulnerable module: org.eclipse.jetty:jetty-server
  • Introduced through: firehose@1.0.2, com.github.tomakehurst:wiremock@2.3.1 and others

Remediation

Upgrade org.eclipse.jetty:jetty-server to version 9.2.27.v20190403, 9.3.26.v20190403, 9.4.16.v20190411 or higher.

References

Directory Traversal

medium severity

  • Package Manager: maven
  • Vulnerable module: org.codehaus.plexus:plexus-utils
  • Introduced through: firehose@1.0.2, org.eclipse.sisu:org.eclipse.sisu.plexus@0.0.0.M5 and others

Remediation

Upgrade Codehaus Plexus to version 3.0.24 or higher.

References

Timing Attack

medium severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 o higher.

References

Cryptographic Issues

medium severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References

Improper Input Validation

medium severity

  • Package Manager: maven
  • Vulnerable module: org.apache.httpcomponents:httpclient
  • Introduced through: firehose@1.0.2 and org.apache.httpcomponents:httpclient@4.5.6

Remediation

Upgrade org.apache.httpcomponents:httpclient to version 4.5.13 or higher.

References

Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: net.minidev:json-smart
  • Introduced through: firehose@1.0.2 and net.minidev:json-smart@2.3

Remediation

There is no fixed version for net.minidev:json-smart.

References

Improper Certificate Validation

medium severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-handler
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

There is no fixed version for io.netty:netty-handler.

References

Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http2
  • Introduced through: firehose@1.0.2, io.grpc:grpc-netty@1.18.0 and others

Remediation

Upgrade io.netty:netty-codec-http2 to version 4.1.39.Final or higher.

References

Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http2
  • Introduced through: firehose@1.0.2, io.grpc:grpc-netty@1.18.0 and others

Remediation

Upgrade io.netty:netty-codec-http2 to version 4.1.39.Final or higher.

References

Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http2
  • Introduced through: firehose@1.0.2, io.grpc:grpc-netty@1.18.0 and others

Remediation

Upgrade io.netty:netty-codec-http2 to version 4.1.39.Final or higher.

References

Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http2
  • Introduced through: firehose@1.0.2, io.grpc:grpc-netty@1.18.0 and others

Remediation

Upgrade io.netty:netty-codec-http2 to version 4.1.39.Final or higher.

References

Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.53.Final or higher.

References

Information Disclosure

medium severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.59.Final or higher.

References

HTTP Request Smuggling

medium severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.42.Final or higher.

References

Information Exposure

medium severity

  • Package Manager: maven
  • Vulnerable module: io.grpc:grpc-core
  • Introduced through: firehose@1.0.2 and io.grpc:grpc-core@1.18.0

Remediation

Upgrade io.grpc:grpc-core to version 1.31.0 or higher.

References

Arbitrary File Deletion

medium severity

  • Package Manager: maven
  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: firehose@1.0.2 and com.thoughtworks.xstream:xstream@1.3.1

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.15 or higher.

References

Server-Side Request Forgery (SSRF)

medium severity

  • Package Manager: maven
  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: firehose@1.0.2 and com.thoughtworks.xstream:xstream@1.3.1

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.15 or higher.

References

Insecure XML deserialization

medium severity

  • Package Manager: maven
  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: firehose@1.0.2 and com.thoughtworks.xstream:xstream@1.3.1

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.7, 1.4.11 or higher.

References

Directory Traversal

medium severity

  • Package Manager: maven
  • Vulnerable module: com.squareup.retrofit2:retrofit
  • Introduced through: firehose@1.0.2, com.squareup.retrofit2:converter-moshi@2.1.0 and others

Remediation

Upgrade com.squareup.retrofit2:retrofit to version 2.5.0 or higher.

References

SSL Certificate Bypass

medium severity

  • Package Manager: maven
  • Vulnerable module: com.squareup.okhttp:okhttp
  • Introduced through: firehose@1.0.2, io.grpc:grpc-okhttp@1.18.0 and others

Remediation

Upgrade com.squareup.okhttp:okhttp to version 2.7.4 or higher.

References

Information Disclosure

medium severity

  • Package Manager: maven
  • Vulnerable module: com.google.guava:guava
  • Introduced through: firehose@1.0.2 and com.google.guava:guava@27.0.1-jre

Remediation

Upgrade com.google.guava:guava to version 30.0-android, 30.0-jre or higher.

References

Deserialization of Untrusted Data

medium severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8 or higher.

References

Information Exposure

low severity

  • Package Manager: maven
  • Vulnerable module: org.elasticsearch:elasticsearch
  • Introduced through: firehose@1.0.2 and org.elasticsearch:elasticsearch@6.3.1

Remediation

Upgrade org.elasticsearch:elasticsearch to version 6.8.13, 7.9.2 or higher.

References

Information Disclosure

low severity

  • Package Manager: maven
  • Vulnerable module: org.elasticsearch:elasticsearch
  • Introduced through: firehose@1.0.2 and org.elasticsearch:elasticsearch@6.3.1

Remediation

Upgrade org.elasticsearch:elasticsearch to version 6.8.14, 7.10.0 or higher.

References

Information Exposure

low severity

  • Package Manager: maven
  • Vulnerable module: org.elasticsearch:elasticsearch
  • Introduced through: firehose@1.0.2 and org.elasticsearch:elasticsearch@6.3.1

Remediation

Upgrade org.elasticsearch:elasticsearch to version 7.4.0, 6.8.4 or higher.

References

XML External Entity (XXE) Injection

low severity

  • Package Manager: maven
  • Vulnerable module: org.codehaus.plexus:plexus-utils
  • Introduced through: firehose@1.0.2, org.eclipse.sisu:org.eclipse.sisu.plexus@0.0.0.M5 and others

Remediation

Upgrade org.codehaus.plexus:plexus-utils to version 3.0.24 or higher.

References

Information Exposure

low severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References

Insufficient Validation

low severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References

Information Exposure

low severity

  • Package Manager: maven
  • Vulnerable module: junit:junit
  • Introduced through: firehose@1.0.2 and junit:junit@4.12

Remediation

Upgrade junit:junit to version 4.13.1 or higher.

References

Information Exposure

low severity

  • Package Manager: maven
  • Vulnerable module: commons-codec:commons-codec
  • Introduced through: firehose@1.0.2, org.apache.httpcomponents:httpclient@4.5.6 and others

Remediation

Upgrade commons-codec:commons-codec to version 1.13 or higher.

References