CVE-2019-17267 Description A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. Mitigation *Update*: As of version 2.10.0, Jackson now provides a safe default typing solution that fully mitigates this vulnerability. Reference: (https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2) In order to mitigate this vulnerability, we recommend upgrading to at least version 2.10.0 and changing any usages of `enableDefaultTyping()` to `activateDefaultTyping()`. Alternatively, if upgrading is not a viable option, this vulnerability can be mitigated by disabling default typing. Instead, you will need to implement your own: >It is also possible to customize global defaulting, using ObjectMapper.setDefaultTyping(...) -- you just have…
Read More
CVE-2019-17091 Description faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17091 https://bugs.eclipse.org/bugs/show_bug.cgi?id=548244 https://github.com/eclipse-ee4j/mojarra/issues/4556 https://github.com/eclipse-ee4j/mojarra/pull/4567 Project…
Read More
CVE-2019-16335 Description A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. Mitigation *Update*: As of version 2.10.0, Jackson now provides a safe default typing solution that fully mitigates this vulnerability. Reference: (https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2) We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16335 https://github.com/FasterXML/jackson-databind/issues/2449 https://blog.sonatype.com/jackson-databind-remote-code-execution https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist Project Category n/a Tags data Date Disclosed 2019-09-15 Date Discovered 2019-09-15 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2019-14893 Description A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. Mitigation *Update*: As of version 2.10.0, Jackson now provides a safe default typing solution that fully mitigates this vulnerability. Reference: (https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2) In order to mitigate this vulnerability,…
Read More
CVE-2019-14892 Description A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. Mitigation *Update*: As of version 2.10.0, Jackson now provides a safe default typing solution that fully mitigates this vulnerability. Reference: (https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2) In order to mitigate this vulnerability, we recommend upgrading to at least version 2.10.0 and changing any usages of `enableDefaultTyping()` to `activateDefaultTyping()`. Alternatively, if upgrading is not a viable option, this vulnerability can be mitigated by disabling…
Read More
CVE-2019-14540 Description A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. Mitigation *Update*: As of version 2.10.0, Jackson now provides a safe default typing solution that fully mitigates this vulnerability. Reference: (https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2) We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14540 https://github.com/FasterXML/jackson-databind/issues/2410 https://blog.sonatype.com/jackson-databind-remote-code-execution https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist Project Category n/a Tags data Date Disclosed 2019-09-15 Date Discovered 2019-08-02 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2019-13990 Description initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13990 https://github.com/quartz-scheduler/quartz/issues/467 Project Category n/a Tags data Date Disclosed 2019-07-26 Date Discovered 2019-07-19 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us…
Read More
CVE-2019-12419 Description Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12419 http://cxf.apache.org/security-advisories.data/CVE-2019-12419.txt.asc Project Category Apache CXF OpenId Connect token service does not properly…
Read More
CVE-2019-12418 Description When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Note: If this component…
Read More
CVE-2019-12406 Description Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count". Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Note: If this component is included as a bundled/transitive dependency of…
Read More
