CVE-2019-17359 Description The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17359 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-17359 https://www.bouncycastle.org/releasenotes.html…

CVE-2019-17267 Description A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. Mitigation *Update*: As of version 2.10.0, Jackson now provides a safe default typing solution that fully mitigates this vulnerability. Reference: (https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2) In order to mitigate this vulnerability, we recommend upgrading to at least version 2.10.0 and changing any usages of `enableDefaultTyping()` to `activateDefaultTyping()`. Alternatively, if upgrading is not a viable option, this vulnerability can be mitigated by disabling default typing. Instead, you will need to implement your own: >It is also possible to customize global defaulting, using ObjectMapper.setDefaultTyping(...) -- you just have…

CVE-2019-17091 Description faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17091 https://bugs.eclipse.org/bugs/show_bug.cgi?id=548244 https://github.com/eclipse-ee4j/mojarra/issues/4556 https://github.com/eclipse-ee4j/mojarra/pull/4567 Project…

CVE-2019-16335 Description A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. Mitigation *Update*: As of version 2.10.0, Jackson now provides a safe default typing solution that fully mitigates this vulnerability. Reference: (https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2) We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16335 https://github.com/FasterXML/jackson-databind/issues/2449 https://blog.sonatype.com/jackson-databind-remote-code-execution https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist Project Category n/a Tags data Date Disclosed 2019-09-15 Date Discovered 2019-09-15 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable?  Contact us so we can help you.

CVE-2019-14540 Description A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. Mitigation *Update*: As of version 2.10.0, Jackson now provides a safe default typing solution that fully mitigates this vulnerability. Reference: (https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2) We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14540 https://github.com/FasterXML/jackson-databind/issues/2410 https://blog.sonatype.com/jackson-databind-remote-code-execution https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist Project Category n/a Tags data Date Disclosed 2019-09-15 Date Discovered 2019-08-02 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable?  Contact us so we can help you.

CVE-2019-13990 Description initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13990 https://github.com/quartz-scheduler/quartz/issues/467 Project Category n/a Tags data Date Disclosed 2019-07-26 Date Discovered 2019-07-19 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable?  Contact us…