Snyk - Open Source Security

Snyk test report

March 3rd 2021, 12:14:35 pm

Scanned the following path:
  • /Users/sanjogpanda/Desktop/firehose (gradle)
127 known vulnerabilities
479 vulnerable dependency paths
195 dependencies
Project firehose
Path /Users/sanjogpanda/Desktop/firehose
Package Manager gradle
Manifest build.gradle

Denial of Service (DoS)

high severity

  • Package Manager: maven
  • Vulnerable module: xerces:xercesImpl
  • Introduced through: firehose@1.0.2, xerces:xerces@2.4.0 and others

Detailed paths

  • Introduced through: firehose@1.0.2 xerces:xerces@2.4.0 xerces:xercesImpl@2.4.0

Overview

xerces:xercesImpl is a fully compliant XML parsers in the Apache Xerces family

Affected versions of this package are vulnerable to Denial of Service (DoS). Apache Xerces2 Java allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

Remediation

Upgrade xerces:xercesImpl to version 2.12.0 or higher.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

References


Man-in-the-Middle (MitM)

high severity

  • Package Manager: maven
  • Vulnerable module: org.postgresql:postgresql
  • Introduced through: firehose@1.0.2 and org.postgresql:postgresql@9.4.1212

Detailed paths

  • Introduced through: firehose@1.0.2 org.postgresql:postgresql@9.4.1212

Overview

org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver.

Remediation

Upgrade org.postgresql:postgresql to version 42.2.5 or higher.

References


XML External Entity (XXE) Injection

high severity

  • Package Manager: maven
  • Vulnerable module: org.postgresql:postgresql
  • Introduced through: firehose@1.0.2 and org.postgresql:postgresql@9.4.1212

Detailed paths

  • Introduced through: firehose@1.0.2 org.postgresql:postgresql@9.4.1212

Overview

org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. The PgSQLXML class used for parsing was found to allow external entities and multiple doc types which could allow XXE attacks.

Details

XXE Injection is a type of attack against an application that parses XML input. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.

Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.

For example, below is a sample XML document, containing an XML element- username.

<?xml version="1.0" encoding="ISO-8859-1"?>
           <username>John</username>
        </xml>
        

An external XML entity - xxe, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of /etc/passwd and display it to the user rendered by username.

<?xml version="1.0" encoding="ISO-8859-1"?>
        <!DOCTYPE foo [
           <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
           <username>&xxe;</username>
        </xml>
        

Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.

Remediation

Upgrade org.postgresql:postgresql to version 42.2.13 or higher.

References


Privilege Escalation

high severity

  • Package Manager: maven
  • Vulnerable module: org.elasticsearch:elasticsearch
  • Introduced through: firehose@1.0.2 and org.elasticsearch:elasticsearch@6.3.1

Detailed paths

  • Introduced through: firehose@1.0.2 org.elasticsearch:elasticsearch@6.3.1

Overview

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Privilege Escalation. A permission issue was found in Elasticsearch when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used .

If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.

Remediation

Upgrade org.elasticsearch:elasticsearch to version 5.6.15, 6.6.1 or higher.

References


Information Exposure

high severity

  • Package Manager: maven
  • Vulnerable module: org.elasticsearch:elasticsearch
  • Introduced through: firehose@1.0.2 and org.elasticsearch:elasticsearch@6.3.1

Detailed paths

  • Introduced through: firehose@1.0.2 org.elasticsearch:elasticsearch@6.3.1

Overview

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Information Exposure. None

Remediation

Upgrade org.elasticsearch:elasticsearch to version 5.6.12, 6.4.1 or higher.

References


Privilege Escalation

high severity

  • Package Manager: maven
  • Vulnerable module: org.eclipse.jetty:jetty-webapp
  • Introduced through: firehose@1.0.2 and org.eclipse.jetty:jetty-webapp@9.2.13.v20150730

Detailed paths

  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-webapp@9.2.13.v20150730

Overview

org.eclipse.jetty:jetty-webapp is a maven plugin for Jetty web application support.

Affected versions of this package are vulnerable to Privilege Escalation. The system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.

Remediation

Upgrade org.eclipse.jetty:jetty-webapp to version 9.4.33.v20201020, jetty-10.0.0.beta3, 11.0.0.beta3 or higher.

References


Timing Attack

high severity

  • Package Manager: maven
  • Vulnerable module: org.eclipse.jetty:jetty-util
  • Introduced through: firehose@1.0.2, org.eclipse.jetty:jetty-servlets@9.2.13.v20150730 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-servlets@9.2.13.v20150730 org.eclipse.jetty:jetty-util@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-servlets@9.2.13.v20150730 org.eclipse.jetty:jetty-http@9.2.13.v20150730 org.eclipse.jetty:jetty-util@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-servlets@9.2.13.v20150730 org.eclipse.jetty:jetty-io@9.2.13.v20150730 org.eclipse.jetty:jetty-util@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-webapp@9.2.13.v20150730 org.eclipse.jetty:jetty-xml@9.2.13.v20150730 org.eclipse.jetty:jetty-util@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 org.eclipse.jetty:jetty-server@9.2.13.v20150730 org.eclipse.jetty:jetty-http@9.2.13.v20150730 org.eclipse.jetty:jetty-util@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 org.eclipse.jetty:jetty-server@9.2.13.v20150730 org.eclipse.jetty:jetty-io@9.2.13.v20150730 org.eclipse.jetty:jetty-util@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-servlet@9.2.13.v20150730 org.eclipse.jetty:jetty-security@9.2.13.v20150730 org.eclipse.jetty:jetty-server@9.2.13.v20150730 org.eclipse.jetty:jetty-http@9.2.13.v20150730 org.eclipse.jetty:jetty-util@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-servlet@9.2.13.v20150730 org.eclipse.jetty:jetty-security@9.2.13.v20150730 org.eclipse.jetty:jetty-server@9.2.13.v20150730 org.eclipse.jetty:jetty-io@9.2.13.v20150730 org.eclipse.jetty:jetty-util@9.2.13.v20150730

Overview

org.eclipse.jetty:jetty-util is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Timing Attacks. A flaw in the util/security/Password.java class makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Remediation

Upgrade org.eclipse.jetty:jetty-util to versions 9.2.22, 9.3.20, 9.4.6 or higher.

References


Authorization Bypass

high severity

  • Package Manager: maven
  • Vulnerable module: org.eclipse.jetty:jetty-server
  • Introduced through: firehose@1.0.2, com.github.tomakehurst:wiremock@2.3.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 org.eclipse.jetty:jetty-server@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-servlet@9.2.13.v20150730 org.eclipse.jetty:jetty-security@9.2.13.v20150730 org.eclipse.jetty:jetty-server@9.2.13.v20150730

Overview

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Authorization Bypass. When it presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Remediation

Upgrade org.eclipse.jetty:jetty-server to versions 9.2.25, 9.3.24, 9.4.11 or higher.

References


Cache Poisoning

high severity

  • Package Manager: maven
  • Vulnerable module: org.eclipse.jetty:jetty-server
  • Introduced through: firehose@1.0.2, com.github.tomakehurst:wiremock@2.3.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 org.eclipse.jetty:jetty-server@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-servlet@9.2.13.v20150730 org.eclipse.jetty:jetty-security@9.2.13.v20150730 org.eclipse.jetty:jetty-server@9.2.13.v20150730

Overview

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Cache Poisoning. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version, the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Remediation

Upgrade org.eclipse.jetty:jetty-server to version 9.3.24.v20180605, 9.4.11.v20180605 or higher.

References


Cache Poisoning

high severity

  • Package Manager: maven
  • Vulnerable module: org.eclipse.jetty:jetty-http
  • Introduced through: firehose@1.0.2, org.eclipse.jetty:jetty-servlets@9.2.13.v20150730 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-servlets@9.2.13.v20150730 org.eclipse.jetty:jetty-http@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 org.eclipse.jetty:jetty-server@9.2.13.v20150730 org.eclipse.jetty:jetty-http@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-servlet@9.2.13.v20150730 org.eclipse.jetty:jetty-security@9.2.13.v20150730 org.eclipse.jetty:jetty-server@9.2.13.v20150730 org.eclipse.jetty:jetty-http@9.2.13.v20150730

Overview

org.eclipse.jetty:jetty-http is an is a http module for jetty server.

Affected versions of this package are vulnerable to Cache Poisoning. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version, the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Remediation

Upgrade org.eclipse.jetty:jetty-http to version 9.3.24.v20180605, 9.4.11.v20180605 or higher.

References


Information Exposure

high severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Information Exposure. Attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.61 or higher.

References


Insufficient Validation

high severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Insufficient Validation. The DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of invisible data into a signed structure.

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References


Insecure Encryption

high severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Insecure Encryption. The DSA key pair generator generates a weak private key if used with default values.

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References


Insecure Encryption

high severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Insecure Encryption. A carry propagation bug was introduced in the implementation of squaring for several raw math classes.

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References


Signature Validation Bypass

high severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Signature Validation Bypass. It does not fully validate ASN.1 encoding of signature on verification.

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References


Insecure Encryption

high severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Insecure Encryption. The ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References


Insecure Encryption

high severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Insecure Encryption. The DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References


Denial of Service (DoS)

high severity

  • Package Manager: maven
  • Vulnerable module: org.apache.thrift:libthrift
  • Introduced through: firehose@1.0.2, io.jaegertracing:jaeger-thrift@1.0.0 and others

Detailed paths

  • Introduced through: firehose@1.0.2 io.jaegertracing:jaeger-thrift@1.0.0 org.apache.thrift:libthrift@0.12.0

Overview

org.apache.thrift:libthrift is a lightweight, language-independent software stack with an associated code generation mechanism for point-to-point RPC.

Affected versions of this package are vulnerable to Denial of Service (DoS). It would not error upon receiving messages declaring containers of sizes larger than the payload.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

A fix was pushed into the master branch but not yet published.

References


Denial of Service (DoS)

high severity

  • Package Manager: maven
  • Vulnerable module: org.apache.thrift:libthrift
  • Introduced through: firehose@1.0.2, io.jaegertracing:jaeger-thrift@1.0.0 and others

Detailed paths

  • Introduced through: firehose@1.0.2 io.jaegertracing:jaeger-thrift@1.0.0 org.apache.thrift:libthrift@0.12.0

Overview

org.apache.thrift:libthrift is a lightweight, language-independent software stack with an associated code generation mechanism for point-to-point RPC.

Affected versions of this package are vulnerable to Denial of Service (DoS). A server or client may run into an endless loop when fed with specific input data. Note: This issue was found to be partially fixed within version 0.11.0, As such depending on the installed version it affects only certain language bindings.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.apache.thrift:libthrift to version 0.13.0 or higher.

References


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: org.apache.commons:commons-collections4
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 org.apache.commons:commons-collections4@4.0

Overview

org.apache.commons:commons-collections4 is a Apache Commons Collections package contains types that extend and augment the Java Collections Framework.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to execute arbitrary Java code with the InvokerTransformer serializable collections . The sun.reflect.annotation.AnnotationInvocationHandler#readObject method invokes #entrySet and #get on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the common-collections library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

  • Apache Blog

The vulnerability, also know as Mad Gadget

Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.

  • Google

Remediation

Upgrade org.apache.commons:commons-collections4 to version 4.1 or higher.

References


HTTP Request Smuggling

high severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 io.netty:netty-codec-http@4.1.32.Final
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 io.netty:netty-codec-http@4.1.32.Final
  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-codec-http2@4.1.32.Final io.netty:netty-codec-http@4.1.32.Final
  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-handler-proxy@4.1.32.Final io.netty:netty-codec-http@4.1.32.Final

Overview

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to the package mishandling Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header when using HTTP/1.1. This issue exists because of an incomplete fix for CVE-2019-16869.

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.44.Final or higher.

References


HTTP Request Smuggling

high severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 io.netty:netty-codec-http@4.1.32.Final
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 io.netty:netty-codec-http@4.1.32.Final
  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-codec-http2@4.1.32.Final io.netty:netty-codec-http@4.1.32.Final
  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-handler-proxy@4.1.32.Final io.netty:netty-codec-http@4.1.32.Final

Overview

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling. It allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax or as an "invalid fold."

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.44.Final or higher.

References


Uncontrolled Memory Allocation

high severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 io.netty:netty-codec@4.1.32.Final
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 io.netty:netty-codec@4.1.32.Final
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 io.netty:netty-codec-http@4.1.32.Final io.netty:netty-codec@4.1.32.Final
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 io.netty:netty-codec-http@4.1.32.Final io.netty:netty-codec@4.1.32.Final
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 io.netty:netty-handler@4.1.32.Final io.netty:netty-codec@4.1.32.Final
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 io.netty:netty-handler@4.1.32.Final io.netty:netty-codec@4.1.32.Final
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 io.netty:netty-codec-socks@4.1.32.Final io.netty:netty-codec@4.1.32.Final
  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-codec-http2@4.1.32.Final io.netty:netty-codec-http@4.1.32.Final io.netty:netty-codec@4.1.32.Final
  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-handler-proxy@4.1.32.Final io.netty:netty-codec-http@4.1.32.Final io.netty:netty-codec@4.1.32.Final
  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-codec-http2@4.1.32.Final io.netty:netty-handler@4.1.32.Final io.netty:netty-codec@4.1.32.Final
  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-handler-proxy@4.1.32.Final io.netty:netty-codec-socks@4.1.32.Final io.netty:netty-codec@4.1.32.Final

Overview

io.netty:netty-codec is an event-driven asynchronous network application framework.

Affected versions of this package are vulnerable to Uncontrolled Memory Allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

Remediation

Upgrade io.netty:netty-codec to version 4.1.46.Final or higher.

References


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: firehose@1.0.2 and com.thoughtworks.xstream:xstream@1.3.1

Detailed paths

  • Introduced through: firehose@1.0.2 com.thoughtworks.xstream:xstream@1.3.1

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that can execute arbitrary shell commands.

This issue is a variation of CVE-2013-7285, this time using a different set of classes of the Java runtime environment, none of which is part of the XStream default blacklist. The same issue has already been reported for Strut's XStream plugin in CVE-2017-9805, but the XStream project has never been informed about it.

PoC

<map>
          <entry>
            <jdk.nashorn.internal.objects.NativeString>
              <flags>0</flags>
              <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
                <dataHandler>
                  <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
                    <contentType>text/plain</contentType>
                    <is class='java.io.SequenceInputStream'>
                      <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
                        <iterator class='javax.imageio.spi.FilterIterator'>
                          <iter class='java.util.ArrayList$Itr'>
                            <cursor>0</cursor>
                            <lastRet>-1</lastRet>
                            <expectedModCount>1</expectedModCount>
                            <outer-class>
                              <java.lang.ProcessBuilder>
                                <command>
                                  <string>calc</string>
                                </command>
                              </java.lang.ProcessBuilder>
                            </outer-class>
                          </iter>
                          <filter class='javax.imageio.ImageIO$ContainsFilter'>
                            <method>
                              <class>java.lang.ProcessBuilder</class>
                              <name>start</name>
                              <parameter-types/>
                            </method>
                            <name>start</name>
                          </filter>
                          <next/>
                        </iterator>
                        <type>KEYS</type>
                      </e>
                      <in class='java.io.ByteArrayInputStream'>
                        <buf></buf>
                        <pos>0</pos>
                        <mark>0</mark>
                        <count>0</count>
                      </in>
                    </is>
                    <consumed>false</consumed>
                  </dataSource>
                  <transferFlavors/>
                </dataHandler>
                <dataLen>0</dataLen>
              </value>
            </jdk.nashorn.internal.objects.NativeString>
            <string>test</string>
          </entry>
        </map>
        

Note: 1.4.14-jdk7is optimised for OpenJDK 7, release 1.4.14 are compatible with other JDK projects.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).


XML External Entity (XXE) Injection

high severity

  • Package Manager: maven
  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: firehose@1.0.2 and com.thoughtworks.xstream:xstream@1.3.1

Detailed paths

  • Introduced through: firehose@1.0.2 com.thoughtworks.xstream:xstream@1.3.1

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again. Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.

Details

XXE Injection is a type of attack against an application that parses XML input. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.

Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.

For example, below is a sample XML document, containing an XML element- username.

<?xml version="1.0" encoding="ISO-8859-1"?>
           <username>John</username>
        </xml>
        

An external XML entity - xxe, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of /etc/passwd and display it to the user rendered by username.

<?xml version="1.0" encoding="ISO-8859-1"?>
        <!DOCTYPE foo [
           <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
           <username>&xxe;</username>
        </xml>
        

Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.

References


Denial of Service (DoS)

high severity

  • Package Manager: maven
  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: firehose@1.0.2 and com.thoughtworks.xstream:xstream@1.3.1

Detailed paths

  • Introduced through: firehose@1.0.2 com.thoughtworks.xstream:xstream@1.3.1

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Denial of Service (DoS). When a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("&lt;void/>") call.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.10 or higher.

References


Denial of Service (DoS)

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.dataformat:jackson-dataformat-cbor
  • Introduced through: firehose@1.0.2, org.elasticsearch:elasticsearch-x-content@6.3.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.elasticsearch:elasticsearch-x-content@6.3.1 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.8.10

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS). Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.fasterxml.jackson.dataformat:jackson-dataformat-cbor to version 2.11.4, 2.12.1 or higher.

References


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to the class ignite-jta.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

  • Apache Blog

    Remediation

    Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8 or higher.

    References

  • GitHub Issue


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

  • Apache Blog

    Remediation

    Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8 or higher.

    References

  • GitHub Issue


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the javax.swing gadget (specifically javax.swing.JTextPane).

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint, the service has the mysql-connector-java jar in the classpath. An attacker can host a crafted MySQL server reachable by the victim and send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs due to missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker may exploit this issue by sending a maliciously crafted input to the readValue method of the ObjectMapper.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for CVE-2017-7525).

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for CVE-2017-7525). This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for CVE-2017-7525 and CVE-2017-17485). This is exploitable via two different gadgets that bypass a blacklist.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data which allows attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. SubTypeValidator.java mishandles default typing when ehcache is used, leading to remote code execution.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as com.zaxxer.hikari.HikariDataSource was not blocked. Note: This is a different vulnerability than CVE-2019-14540.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as com.zaxxer.hikari.HikariConfig was not blocked. Note: This is a different vulnerability than CVE-2019-16335.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to org.apache.cxf.jaxrs.provider.XSLTJaxbProvider.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered within org.apache.commons.dbcp.datasources.SharedPoolDataSource was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered as com.p6spy.engine.spy.P6DataSource was not blocked. An attacker could leverage this gadget type to perform Remote Code Execution attacks through deserialization.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A Polymorphic Typing issue was discovered related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. When Default Typing is enabled for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. Two additional net.sf.ehcache gadgets are not blacklisted.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for CVE-2017-7525). It lacks xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. Mishandles the interaction between serialization gadgets and typing, related to:

  • com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap)
  • br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core)
  • org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config)

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to an incomplete black list (incomplete fix for CVE-2017-7525). It doesn't block common-configuration JNDI classes org.apache.commons.configuration.JNDIConfiguration and org.apache.commons.configuration2.JNDIConfiguration.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

Note: This vulnerability does not affect release 2.10.0 onward.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).

Note: This vulnerability does not affect release 2.10.0 onward.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget javax.swing.JEditorPane.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to gadget org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadgets org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to gadget org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (xalan2) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized.

Note: This vulnerability does not affect release 2.10.0 onward.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The package mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using the oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (apache/drill) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized.

Note: This vulnerability does not affect release 2.10.0 onward.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible to conduct a Deserialization attack using any of the following class gadget available within weblogic/oracle-aqjms if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized.

  • oracle.jms.AQjmsQueueConnectionFactory
  • oracle.jms.AQjmsXATopicConnectionFactory
  • oracle.jms.AQjmsTopicConnectionFactory
  • oracle.jms.AQjmsXAQueueConnectionFactory
  • oracle.jms.AQjmsXAConnectionFactory

Note: This vulnerability does not affect release 2.10.0 onward.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

  • Apache Blog

    Remediation

    Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.6 or higher.

    References

  • GitHub Issue

  • Medium Article

  • PoC


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the Default Typing feature. an incomplete fix for the CVE-2017-7525 deserialization flaw.

Note: This vulnerability (CVE-2018-12022) is not identical to CVE-2018-12018,CVE-2018-12019, CVE-2018-14720, CVE-2018-14721, CVE-2018-14723 and CVE-2018-11307.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It may allow content exfiltration (remote access by sending contents over ftp) when untrusted content is deserialized with default typing enabled. This vulnerability is due to an incomplete fix for the CVE-2017-7525 deserialization flaw.

Note: This vulnerability (CVE-2018-11307) is not identical to CVE-2018-12018,CVE-2018-12019, CVE-2018-14720, CVE-2018-14721, CVE-2018-14722 and CVE-2018-14723.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack, if the user is handling untrusted content or using the Default Typing feature. This vulnerability is due to an incomplete fix for the CVE-2017-7525 deserialization flaw.

Note: This vulnerability (CVE-2018-12023) is not identical to CVE-2018-12018, CVE-2018-12019, CVE-2018-14720, CVE-2018-14721, CVE-2018-14722 and CVE-2018-11307.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks via the slf4j-ext gadget due to an incomplete fix for the CVE-2017-7525 deserialization flaw.

Note: This vulnerability (CVE-2018-14718) is not identical to CVE-2018-12019, CVE-2018-14720, CVE-2018-14721, CVE-2018-14722,CVE-2018-12023 and CVE-2018-11307.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform an XML External Entity (XXE) Injection via the JDK classes due to an incomplete fix for the CVE-2017-7525 deserialization flaw.

Note: This vulnerability (CVE-2018-14720) is not identical to CVE-2018-12018, CVE-2018-14729, CVE-2018-14721, CVE-2018-14722,CVE-2018-12023 and CVE-2018-11307.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attack via the blaze-ds-opt gadget due to an incomplete fix for the CVE-2017-7525 deserialization flaw.

Note: This vulnerability (CVE-2018-14719) is not identical to CVE-2018-12018, CVE-2018-14720, CVE-2018-14721, CVE-2018-14722,CVE-2018-12023 and CVE-2018-11307.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A malicious user could perform a SSRF attack via the axis2-jaxws gadget due to an incomplete fix for the CVE-2017-7525 deserialization flaw.

Note: This vulnerability (CVE-2018-14721) is not identical to CVE-2018-12018, CVE-2018-14719, CVE-2018-14720, CVE-2018-14722,CVE-2018-12023 and CVE-2018-11307.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the jboss-common-core class from polymorphic deserialization.

Note This vulnerability (CVE-2018-19362) is not identical to CVE-2018-19360 and CVE-2018-19361.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the axis2-transport-jms class from polymorphic deserialization.

Note This vulnerability (CVE-2018-19360) is not identical to CVE-2018-19362 and CVE-2018-19361.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Deserialization of Untrusted Data

high severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker could perform a Remote Code Execution attacks due to not blocking the axis2-transport-jms class from polymorphic deserialization.

Note This vulnerability (CVE-2018-19361) is not identical to CVE-2018-19362 and CVE-2018-19360.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Arbitrary Code Execution

high severity

  • Package Manager: maven
  • Vulnerable module: ch.qos.logback:logback-core
  • Introduced through: firehose@1.0.2, ch.qos.logback:logback-classic@1.1.7 and others

Detailed paths

  • Introduced through: firehose@1.0.2 ch.qos.logback:logback-classic@1.1.7 ch.qos.logback:logback-core@1.1.7

Overview

ch.qos.logback:logback-core is a logback-core module.

Affected versions of this package are vulnerable to Arbitrary Code Execution. A configuration can be turned on to allow remote logging through interfaces that accept untrusted serialized data. Authenticated attackers on the adjacent network can exploit this vulnerability to run arbitrary code through the deserialization of custom gadget chains.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).


Arbitrary Code Execution

high severity

  • Package Manager: maven
  • Vulnerable module: ch.qos.logback:logback-classic
  • Introduced through: firehose@1.0.2 and ch.qos.logback:logback-classic@1.1.7

Detailed paths

  • Introduced through: firehose@1.0.2 ch.qos.logback:logback-classic@1.1.7

Overview

ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.

Affected versions of this package are vulnerable to Arbitrary Code Execution. A configuration can be turned on to allow remote logging through interfaces that accept untrusted serialized data. Authenticated attackers on the adjacent network can exploit this vulnerability to run arbitrary code through the deserialization of custom gadget chains.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).


Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: xerces:xercesImpl
  • Introduced through: firehose@1.0.2, xerces:xerces@2.4.0 and others

Detailed paths

  • Introduced through: firehose@1.0.2 xerces:xerces@2.4.0 xerces:xercesImpl@2.4.0

Overview

xerces:xercesimpl is a that is used for high performance, fully compliant XML parsers in the Apache Xerces family.

Affected versions of this package are vulnerable to Denial of Service (DoS) which is caused by the way the JRE processes XML files. A remote attacker could use this flaw to supply crafted XML that would lead to a denial of service.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade xerces:xercesimpl to version 2.11.0.SP5 or higher.

References


Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: xerces:xercesImpl
  • Introduced through: firehose@1.0.2, xerces:xerces@2.4.0 and others

Detailed paths

  • Introduced through: firehose@1.0.2 xerces:xerces@2.4.0 xerces:xercesImpl@2.4.0

Overview

xerces:xercesimpl is a that is used for high performance, fully compliant XML parsers in the Apache Xerces family.

Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker may be able to force the target server to parse an FTP URL, which points to an FTP server controller by the attacker. When the target server is mid way through fetching the FTP resources, the attackers malicious FTP server will exit the process and will leave the thread hanging in the target server.

It is possible to conduct this attack only if the following conditions are met:

  • An attacker can pass an URL parameter that points to a controlled FTP server to the target.
  • Target server uses vulnerable component(s) to fetch the resource specified by the attacker.
  • Target server does not prevent fetching of FTP URI resources.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/
        

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
        0.04s user 0.01s system 95% cpu 0.052 total
        
        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
        1.79s user 0.02s system 99% cpu 1.812 total
        

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade xerces:xercesimpl to version 2.11.0 or higher.

References


Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: xerces:xercesImpl
  • Introduced through: firehose@1.0.2, xerces:xerces@2.4.0 and others

Detailed paths

  • Introduced through: firehose@1.0.2 xerces:xerces@2.4.0 xerces:xercesImpl@2.4.0

Overview

xerces:xercesimpl is an that is used for high performance, fully compliant XML parsers in the Apache Xerces family.

Affected versions of this package are vulnerable to Denial of Service (DoS). XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Details

A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

ֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade xerces:xercesimpl to version 2.10.0 or higher.

References


Improper Input Validation

medium severity

  • Package Manager: maven
  • Vulnerable module: xerces:xercesImpl
  • Introduced through: firehose@1.0.2, xerces:xerces@2.4.0 and others

Detailed paths

  • Introduced through: firehose@1.0.2 xerces:xerces@2.4.0 xerces:xercesImpl@2.4.0

Overview

xerces:xercesimpl is a that is used for high performance, fully compliant XML parsers in the Apache Xerces family.

Affected versions of this package are vulnerable to Improper Input Validation due to the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code.

Remediation

Upgrade xerces:xercesimpl to version 2.12.0.SP03 or higher.

References


Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: org.yaml:snakeyaml
  • Introduced through: firehose@1.0.2, org.elasticsearch:elasticsearch-x-content@6.3.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.elasticsearch:elasticsearch-x-content@6.3.1 org.yaml:snakeyaml@1.17

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Denial of Service (DoS). The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Note While the Maintainer acknowledges the existence of the issue, they believe it should be solved by sanitizing the inputStream to the parser

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.yaml:snakeyaml to version 1.26 or higher.

References


Race Condition

medium severity

  • Package Manager: maven
  • Vulnerable module: org.elasticsearch:elasticsearch
  • Introduced through: firehose@1.0.2 and org.elasticsearch:elasticsearch@6.3.1

Detailed paths

  • Introduced through: firehose@1.0.2 org.elasticsearch:elasticsearch@6.3.1

Overview

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Race Condition. ‎On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.

Remediation

Upgrade org.elasticsearch:elasticsearch to version 6.8.2, 7.2.1 or higher.

References


Cross-site Scripting (XSS)

medium severity

  • Package Manager: maven
  • Vulnerable module: org.eclipse.jetty:jetty-util
  • Introduced through: firehose@1.0.2, org.eclipse.jetty:jetty-servlets@9.2.13.v20150730 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-servlets@9.2.13.v20150730 org.eclipse.jetty:jetty-util@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-servlets@9.2.13.v20150730 org.eclipse.jetty:jetty-http@9.2.13.v20150730 org.eclipse.jetty:jetty-util@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-servlets@9.2.13.v20150730 org.eclipse.jetty:jetty-io@9.2.13.v20150730 org.eclipse.jetty:jetty-util@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-webapp@9.2.13.v20150730 org.eclipse.jetty:jetty-xml@9.2.13.v20150730 org.eclipse.jetty:jetty-util@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 org.eclipse.jetty:jetty-server@9.2.13.v20150730 org.eclipse.jetty:jetty-http@9.2.13.v20150730 org.eclipse.jetty:jetty-util@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 org.eclipse.jetty:jetty-server@9.2.13.v20150730 org.eclipse.jetty:jetty-io@9.2.13.v20150730 org.eclipse.jetty:jetty-util@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-servlet@9.2.13.v20150730 org.eclipse.jetty:jetty-security@9.2.13.v20150730 org.eclipse.jetty:jetty-server@9.2.13.v20150730 org.eclipse.jetty:jetty-http@9.2.13.v20150730 org.eclipse.jetty:jetty-util@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-servlet@9.2.13.v20150730 org.eclipse.jetty:jetty-security@9.2.13.v20150730 org.eclipse.jetty:jetty-server@9.2.13.v20150730 org.eclipse.jetty:jetty-io@9.2.13.v20150730 org.eclipse.jetty:jetty-util@9.2.13.v20150730

Overview

org.eclipse.jetty:jetty-util is a Web Container & Clients - supports HTTP/2, HTTP/1.1, HTTP/1.0, websocket, servlets, and more.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when a remote client uses a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a listing of directory contents.

Details

A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade org.eclipse.jetty:jetty-util to version 9.2.27.v20190403, 9.3.26.v20190403, 9.4.16.v20190411 or higher.

References


Information Exposure

medium severity

  • Package Manager: maven
  • Vulnerable module: org.eclipse.jetty:jetty-server
  • Introduced through: firehose@1.0.2, com.github.tomakehurst:wiremock@2.3.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 org.eclipse.jetty:jetty-server@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-servlet@9.2.13.v20150730 org.eclipse.jetty:jetty-security@9.2.13.v20150730 org.eclipse.jetty:jetty-server@9.2.13.v20150730

Overview

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Information Exposure. The configuration of a Jetty server may be leaked as part of a HTTP 404 response. This is due to the DefaultHandler class producing an error page during an exception.

Remediation

Upgrade org.eclipse.jetty:jetty-server to version 9.2.28.v20190418, 9.3.27.v20190418, 9.4.17.v20190418 or higher.

References


Cross-site Scripting (XSS)

medium severity

  • Package Manager: maven
  • Vulnerable module: org.eclipse.jetty:jetty-server
  • Introduced through: firehose@1.0.2, com.github.tomakehurst:wiremock@2.3.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 org.eclipse.jetty:jetty-server@9.2.13.v20150730
  • Introduced through: firehose@1.0.2 org.eclipse.jetty:jetty-servlet@9.2.13.v20150730 org.eclipse.jetty:jetty-security@9.2.13.v20150730 org.eclipse.jetty:jetty-server@9.2.13.v20150730

Overview

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when a remote client uses a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a listing of directory contents.

Details

A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade org.eclipse.jetty:jetty-server to version 9.2.27.v20190403, 9.3.26.v20190403, 9.4.16.v20190411 or higher.

References


Directory Traversal

medium severity

  • Package Manager: maven
  • Vulnerable module: org.codehaus.plexus:plexus-utils
  • Introduced through: firehose@1.0.2, org.eclipse.sisu:org.eclipse.sisu.plexus@0.0.0.M5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.eclipse.sisu:org.eclipse.sisu.plexus@0.0.0.M5 org.codehaus.plexus:plexus-utils@3.0.17
  • Introduced through: firehose@1.0.2 kr.motd.maven:os-maven-plugin@1.2.3.Final org.codehaus.plexus:plexus-utils@3.0.17
  • Introduced through: firehose@1.0.2 org.apache.maven:maven-plugin-api@3.2.1 org.apache.maven:maven-model@3.2.1 org.codehaus.plexus:plexus-utils@3.0.17
  • Introduced through: firehose@1.0.2 org.apache.maven:maven-plugin-api@3.2.1 org.apache.maven:maven-artifact@3.2.1 org.codehaus.plexus:plexus-utils@3.0.17

Overview

Codehaus Plexus is a collection of components used by Apache Maven.

Affected versions of this package are vulnerable to Directory Traversal.

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

  • Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa
        

Note %2e is the URL encoded version of . (dot).

  • Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
        2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys
        

Remediation

Upgrade Codehaus Plexus to version 3.0.24 or higher.

References


Timing Attack

medium severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Timing attacks. Where timings can be closely observed for the generation of signatures, the lack of blinding may allow an attacker to gain information about the signature's k value and ultimately the private value as well.

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 o higher.

References


Cryptographic Issues

medium severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Cryptographic Issues. The DHIES/ECIES CBC mode are vulnerable to padding oracle attack.

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References


Improper Input Validation

medium severity

  • Package Manager: maven
  • Vulnerable module: org.apache.httpcomponents:httpclient
  • Introduced through: firehose@1.0.2 and org.apache.httpcomponents:httpclient@4.5.6

Detailed paths

  • Introduced through: firehose@1.0.2 org.apache.httpcomponents:httpclient@4.5.6
  • Introduced through: firehose@1.0.2 com.gojek:stencil@4.2.0 org.apache.httpcomponents:httpclient@4.5.6
  • Introduced through: firehose@1.0.2 org.elasticsearch.client:elasticsearch-rest-client@6.3.1 org.apache.httpcomponents:httpclient@4.5.6
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.apache.httpcomponents:httpclient@4.5.6
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 org.apache.httpcomponents:httpclient@4.5.6

Overview

org.apache.httpcomponents:httpclient is a HttpClient component of the Apache HttpComponents project.

Affected versions of this package are vulnerable to Improper Input Validation. Apache HttpClient can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Remediation

Upgrade org.apache.httpcomponents:httpclient to version 4.5.13 or higher.

References


Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: net.minidev:json-smart
  • Introduced through: firehose@1.0.2 and net.minidev:json-smart@2.3

Detailed paths

  • Introduced through: firehose@1.0.2 net.minidev:json-smart@2.3

Overview

net.minidev:json-smart is a Java JSON parser.

Affected versions of this package are vulnerable to Denial of Service (DoS). An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

There is no fixed version for net.minidev:json-smart.

References


Improper Certificate Validation

medium severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-handler
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 io.netty:netty-handler@4.1.32.Final
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 io.netty:netty-handler@4.1.32.Final
  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-codec-http2@4.1.32.Final io.netty:netty-handler@4.1.32.Final

Overview

io.netty:netty-handler is a library that provides an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Affected versions of this package are vulnerable to Improper Certificate Validation. Certificate hostname validation is disabled by default in Netty 4.1.x which makes it potentially susceptible to Man-in-the-Middle attacks.

Remediation

There is no fixed version for io.netty:netty-handler.

References


Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http2
  • Introduced through: firehose@1.0.2, io.grpc:grpc-netty@1.18.0 and others

Detailed paths

  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-codec-http2@4.1.32.Final

Overview

io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework.

Affected versions of this package are vulnerable to Denial of Service (DoS). A Netty based HTTP/2 server can be forced to buffer unbounded amounts of memory when flooded with control frames that require an automatic response.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/
        

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
        0.04s user 0.01s system 95% cpu 0.052 total
        
        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
        1.79s user 0.02s system 99% cpu 1.812 total
        

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade io.netty:netty-codec-http2 to version 4.1.39.Final or higher.

References


Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http2
  • Introduced through: firehose@1.0.2, io.grpc:grpc-netty@1.18.0 and others

Detailed paths

  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-codec-http2@4.1.32.Final

Overview

io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework.

Affected versions of this package are vulnerable to Denial of Service (DoS). A Netty based HTTP/2 server can be forced to buffer unbounded amounts of memory when flooded with control frames that require an automatic response.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/
        

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
        0.04s user 0.01s system 95% cpu 0.052 total
        
        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
        1.79s user 0.02s system 99% cpu 1.812 total
        

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade io.netty:netty-codec-http2 to version 4.1.39.Final or higher.

References


Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http2
  • Introduced through: firehose@1.0.2, io.grpc:grpc-netty@1.18.0 and others

Detailed paths

  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-codec-http2@4.1.32.Final

Overview

io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework.

Affected versions of this package are vulnerable to Denial of Service (DoS). A Netty based HTTP/2 server can be forced to buffer unbounded amounts of memory when flooded with control frames that require an automatic response.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/
        

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
        0.04s user 0.01s system 95% cpu 0.052 total
        
        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
        1.79s user 0.02s system 99% cpu 1.812 total
        

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade io.netty:netty-codec-http2 to version 4.1.39.Final or higher.

References


Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http2
  • Introduced through: firehose@1.0.2, io.grpc:grpc-netty@1.18.0 and others

Detailed paths

  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-codec-http2@4.1.32.Final

Overview

io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework.

Affected versions of this package are vulnerable to Denial of Service (DoS). A Netty based HTTP/2 server could be forced to consume substantial CPU resources by sending it an unbounded sequence of empty DATA frames that do not have END_STREAM set on them.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/
        

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
        0.04s user 0.01s system 95% cpu 0.052 total
        
        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
        1.79s user 0.02s system 99% cpu 1.812 total
        

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade io.netty:netty-codec-http2 to version 4.1.39.Final or higher.

References


Denial of Service (DoS)

medium severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 io.netty:netty-codec-http@4.1.32.Final
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 io.netty:netty-codec-http@4.1.32.Final
  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-codec-http2@4.1.32.Final io.netty:netty-codec-http@4.1.32.Final
  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-handler-proxy@4.1.32.Final io.netty:netty-codec-http@4.1.32.Final

Overview

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to Denial of Service (DoS). When the post request body data received by the server is greater than 16k, netty will use DiskAttribute, which will create a temporary file, and use deleteOnExit() when the file needs to be deleted, which results in DeleteOnExitHook.files continually growing and leading to a denial of service.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.53.Final or higher.

References


Information Disclosure

medium severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 io.netty:netty-codec-http@4.1.32.Final
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 io.netty:netty-codec-http@4.1.32.Final
  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-codec-http2@4.1.32.Final io.netty:netty-codec-http@4.1.32.Final
  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-handler-proxy@4.1.32.Final io.netty:netty-codec-http@4.1.32.Final

Overview

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to Information Disclosure via the AbstractDiskHttpData method, and on Unix-like systems.

When netty's multipart decoders are used, local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk are enabled. On unix-like systems, the temporary directory is shared between all users. As such, writing to this directory using API's that do not explicitly set the file/directory permissions can lead to information disclosure. The method File.createTempFile on unix-like systems creates a random file, but, by default will create this file with the permissions -rw-r--r--. Sensitive information is written to this file in AbstractDiskHttpData, and other local users can read it.

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.59.Final or higher.

References


HTTP Request Smuggling

medium severity

  • Package Manager: maven
  • Vulnerable module: io.netty:netty-codec-http
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 io.netty:netty-codec-http@4.1.32.Final
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 io.netty:netty-codec-http@4.1.32.Final
  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-codec-http2@4.1.32.Final io.netty:netty-codec-http@4.1.32.Final
  • Introduced through: firehose@1.0.2 io.grpc:grpc-netty@1.18.0 io.netty:netty-handler-proxy@4.1.32.Final io.netty:netty-codec-http@4.1.32.Final

Overview

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling. Netty mishandles whitespace before the colon in HTTP headers such as a Transfer-Encoding : chunked line. This can lead to HTTP request smuggling where an attacker can bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users.

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.42.Final or higher.

References


Information Exposure

medium severity

  • Package Manager: maven
  • Vulnerable module: io.grpc:grpc-core
  • Introduced through: firehose@1.0.2 and io.grpc:grpc-core@1.18.0

Detailed paths

  • Introduced through: firehose@1.0.2 io.grpc:grpc-core@1.18.0

Overview

io.grpc:grpc-core is a The Java gRPC implementation. HTTP/2 based RPC.

Affected versions of this package are vulnerable to Information Exposure. There is a leakage when a listener throws an exception and the executor is shut down immediately after the call completes.

Remediation

Upgrade io.grpc:grpc-core to version 1.31.0 or higher.

References


Arbitrary File Deletion

medium severity

  • Package Manager: maven
  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: firehose@1.0.2 and com.thoughtworks.xstream:xstream@1.3.1

Detailed paths

  • Introduced through: firehose@1.0.2 com.thoughtworks.xstream:xstream@1.3.1

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Arbitrary File Deletion. A remote attacker can delete arbitrary known files on the host as long as the executing process has sufficient rights, by manipulating the processed input stream.

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.15 or higher.

References


Server-Side Request Forgery (SSRF)

medium severity

  • Package Manager: maven
  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: firehose@1.0.2 and com.thoughtworks.xstream:xstream@1.3.1

Detailed paths

  • Introduced through: firehose@1.0.2 com.thoughtworks.xstream:xstream@1.3.1

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). A remote attacker can request data from internal resources that are not publicly available by manipulating the processed input stream.

Note: This vulnerability does not exist running Java 15 or higher, and is only relevant when using XStream's default blacklist.

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.15 or higher.

References


Insecure XML deserialization

medium severity

  • Package Manager: maven
  • Vulnerable module: com.thoughtworks.xstream:xstream
  • Introduced through: firehose@1.0.2 and com.thoughtworks.xstream:xstream@1.3.1

Detailed paths

  • Introduced through: firehose@1.0.2 com.thoughtworks.xstream:xstream@1.3.1

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Insecure XML deserialization. It could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.7, 1.4.11 or higher.

References


Directory Traversal

medium severity

  • Package Manager: maven
  • Vulnerable module: com.squareup.retrofit2:retrofit
  • Introduced through: firehose@1.0.2, com.squareup.retrofit2:converter-moshi@2.1.0 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.squareup.retrofit2:converter-moshi@2.1.0 com.squareup.retrofit2:retrofit@2.1.0
  • Introduced through: firehose@1.0.2 org.influxdb:influxdb-java@2.5 com.squareup.retrofit2:retrofit@2.1.0

Overview

com.squareup.retrofit2:retrofit is a Type-safe HTTP client for Android and Java by Square, Inc.

Affected versions of this package are vulnerable to Directory Traversal. @Path values could participate in path-traversal. This allowed untrusted input passed as a path value to potentially cause the system to make a request to an un-intended relative URL.

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

  • Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa
        

Note %2e is the URL encoded version of . (dot).

  • Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
        2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys
        

Remediation

Upgrade com.squareup.retrofit2:retrofit to version 2.5.0 or higher.

References


SSL Certificate Bypass

medium severity

  • Package Manager: maven
  • Vulnerable module: com.squareup.okhttp:okhttp
  • Introduced through: firehose@1.0.2, io.grpc:grpc-okhttp@1.18.0 and others

Detailed paths

  • Introduced through: firehose@1.0.2 io.grpc:grpc-okhttp@1.18.0 com.squareup.okhttp:okhttp@2.5.0

Overview

com.squareup.okhttp:okhttp is an HTTP & HTTP/2 client for Android and Java applications

Affected versions of this package are vulnerable to SSL Certificate Bypass. It allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.

Remediation

Upgrade com.squareup.okhttp:okhttp to version 2.7.4 or higher.

References


Information Disclosure

medium severity

  • Package Manager: maven
  • Vulnerable module: com.google.guava:guava
  • Introduced through: firehose@1.0.2 and com.google.guava:guava@27.0.1-jre

Detailed paths

  • Introduced through: firehose@1.0.2 com.google.guava:guava@27.0.1-jre

Overview

com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more.

Affected versions of this package are vulnerable to Information Disclosure. The file permissions on the file created by com.google.common.io.Files.createTempDir allows an attacker running a malicious program co-resident on the same machine can steal secrets stored in this directory. This is because by default on unix-like operating systems the /temp directory is shared between all users, so if the correct file permissions aren't set by the directory/file creator, the file becomes readable by all other users on that system.

PoC

File guavaTempDir = com.google.common.io.Files.createTempDir();
        System.out.println("Guava Temp Dir: " + guavaTempDir.getName());
        runLS(guavaTempDir.getParentFile(), guavaTempDir); // Prints the file permissions -> drwxr-xr-x
        File child = new File(guavaTempDir, "guava-child.txt");
        child.createNewFile();
        runLS(guavaTempDir, child); // Prints the file permissions -> -rw-r--r--
        

Remediation

Upgrade com.google.guava:guava to version 30.0-android, 30.0-jre or higher.

References


Deserialization of Untrusted Data

medium severity

  • Package Manager: maven
  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: firehose@1.0.2, com.flipkart.zjsonpatch:zjsonpatch@0.2.1 and others

Detailed paths

  • Introduced through: firehose@1.0.2 com.flipkart.zjsonpatch:zjsonpatch@0.2.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 com.github.fge:jackson-coreutils@1.8 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 com.fasterxml.jackson.core:jackson-databind@2.8.1
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.jfrog.buildinfo:build-info-api@2.6.3 com.fasterxml.jackson.core:jackson-databind@2.8.1

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.

com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.

Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:

1. The target application allowing JSON user input which is processed by jackson-databind

An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.

2. Polymorphic type handling for properties with nominal type are enabled

Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.

3. An exploitable gadget class is available for the attacker to leverage

Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.

Further reading:


Information Exposure

low severity

  • Package Manager: maven
  • Vulnerable module: org.elasticsearch:elasticsearch
  • Introduced through: firehose@1.0.2 and org.elasticsearch:elasticsearch@6.3.1

Detailed paths

  • Introduced through: firehose@1.0.2 org.elasticsearch:elasticsearch@6.3.1

Overview

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Information Exposure. It contains a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

Remediation

Upgrade org.elasticsearch:elasticsearch to version 6.8.13, 7.9.2 or higher.

References


Information Disclosure

low severity

  • Package Manager: maven
  • Vulnerable module: org.elasticsearch:elasticsearch
  • Introduced through: firehose@1.0.2 and org.elasticsearch:elasticsearch@6.3.1

Detailed paths

  • Introduced through: firehose@1.0.2 org.elasticsearch:elasticsearch@6.3.1

Overview

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Information Disclosure. There is an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.

Remediation

Upgrade org.elasticsearch:elasticsearch to version 6.8.14, 7.10.0 or higher.

References


Information Exposure

low severity

  • Package Manager: maven
  • Vulnerable module: org.elasticsearch:elasticsearch
  • Introduced through: firehose@1.0.2 and org.elasticsearch:elasticsearch@6.3.1

Detailed paths

  • Introduced through: firehose@1.0.2 org.elasticsearch:elasticsearch@6.3.1

Overview

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Information Exposure. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.

Remediation

Upgrade org.elasticsearch:elasticsearch to version 7.4.0, 6.8.4 or higher.

References


XML External Entity (XXE) Injection

low severity

  • Package Manager: maven
  • Vulnerable module: org.codehaus.plexus:plexus-utils
  • Introduced through: firehose@1.0.2, org.eclipse.sisu:org.eclipse.sisu.plexus@0.0.0.M5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.eclipse.sisu:org.eclipse.sisu.plexus@0.0.0.M5 org.codehaus.plexus:plexus-utils@3.0.17
  • Introduced through: firehose@1.0.2 kr.motd.maven:os-maven-plugin@1.2.3.Final org.codehaus.plexus:plexus-utils@3.0.17
  • Introduced through: firehose@1.0.2 org.apache.maven:maven-plugin-api@3.2.1 org.apache.maven:maven-model@3.2.1 org.codehaus.plexus:plexus-utils@3.0.17
  • Introduced through: firehose@1.0.2 org.apache.maven:maven-plugin-api@3.2.1 org.apache.maven:maven-artifact@3.2.1 org.codehaus.plexus:plexus-utils@3.0.17

Overview

org.codehaus.plexus:plexus-utils is a collection of various utility classes to ease working with strings, files, command lines, XML and more.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This means that text contained in the command string could be interpreted as XML and allow for XML injection.

Remediation

Upgrade org.codehaus.plexus:plexus-utils to version 3.0.24 or higher.

References


Information Exposure

low severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Information Exposure. The primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less.

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References


Insufficient Validation

low severity

  • Package Manager: maven
  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: firehose@1.0.2, org.mock-server:mockserver-core@3.10.5 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-netty@3.10.5 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52
  • Introduced through: firehose@1.0.2 org.mock-server:mockserver-core@3.10.5 org.bouncycastle:bcmail-jdk15on@1.52 org.bouncycastle:bcpkix-jdk15on@1.52 org.bouncycastle:bcprov-jdk15on@1.52

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Insufficient Validation. The other party DH public key is not fully validated.

Remediation

Upgrade org.bouncycastle:bcprov-jdk15on to version 1.56 or higher.

References


Information Exposure

low severity

  • Package Manager: maven
  • Vulnerable module: junit:junit
  • Introduced through: firehose@1.0.2 and junit:junit@4.12

Detailed paths

  • Introduced through: firehose@1.0.2 junit:junit@4.12

Overview

junit:junit is an unit testing framework for Java

Affected versions of this package are vulnerable to Information Exposure. The JUnit4 test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system.

Note: This vulnerability does not allow other users to overwrite the contents of these directories or files. This only affects Unix like systems.

Remediation

Upgrade junit:junit to version 4.13.1 or higher.

References


Information Exposure

low severity

  • Package Manager: maven
  • Vulnerable module: commons-codec:commons-codec
  • Introduced through: firehose@1.0.2, org.apache.httpcomponents:httpclient@4.5.6 and others

Detailed paths

  • Introduced through: firehose@1.0.2 org.apache.httpcomponents:httpclient@4.5.6 commons-codec:commons-codec@1.10
  • Introduced through: firehose@1.0.2 org.elasticsearch.client:elasticsearch-rest-client@6.3.1 commons-codec:commons-codec@1.10
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 commons-codec:commons-codec@1.10
  • Introduced through: firehose@1.0.2 com.gojek:stencil@4.2.0 org.apache.httpcomponents:httpclient@4.5.6 commons-codec:commons-codec@1.10
  • Introduced through: firehose@1.0.2 org.elasticsearch.client:elasticsearch-rest-client@6.3.1 org.apache.httpcomponents:httpclient@4.5.6 commons-codec:commons-codec@1.10
  • Introduced through: firehose@1.0.2 org.jfrog.buildinfo:build-info-client@2.6.3 org.apache.httpcomponents:httpclient@4.5.6 commons-codec:commons-codec@1.10
  • Introduced through: firehose@1.0.2 com.github.tomakehurst:wiremock@2.3.1 org.apache.httpcomponents:httpclient@4.5.6 commons-codec:commons-codec@1.10

Overview

commons-codec:commons-codec is a package that contains simple encoder and decoders for various formats such as Base64 and Hexadecimal.

Affected versions of this package are vulnerable to Information Exposure. When there is no byte array value that can be encoded into a string the Base32 implementation does not reject it, and instead decodes it into an arbitrary value which can be re-encoded again using the same implementation. This allows for information exposure exploits such as tunneling additional information via seemingly valid base 32 strings.

Remediation

Upgrade commons-codec:commons-codec to version 1.13 or higher.

References