Search criteria
52 vulnerabilities found for banking_supply_chain_finance by oracle
CVE-2022-22963 (GCVE-0-2022-22963)
Vulnerability from nvd – Published: 2022-04-01 00:00 – Updated: 2025-10-21 23:15
VLAI?
Summary
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Severity ?
9.8 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Spring Cloud Function |
Affected:
Spring Cloud Function versions 3.1.6, 3.2.2 and all old and unsupported versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:42.845Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2022-22963"
},
{
"name": "20220401 Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-22963",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T17:53:06.523275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-08-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22963"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:15:42.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22963"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-08-25T00:00:00+00:00",
"value": "CVE-2022-22963 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Spring Cloud Function",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Spring Cloud Function versions 3.1.6, 3.2.2 and all old and unsupported versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-13T00:00:00.000Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://tanzu.vmware.com/security/cve-2022-22963"
},
{
"name": "20220401 Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022",
"tags": [
"vendor-advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"url": "http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-22963",
"datePublished": "2022-04-01T00:00:00.000Z",
"dateReserved": "2022-01-10T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:15:42.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31812 (GCVE-0-2021-31812)
Vulnerability from nvd – Published: 2021-06-12 09:45 – Updated: 2024-08-03 23:10
VLAI?
Title
A carefully crafted PDF file can trigger an infinite loop while loading the file
Summary
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
Severity ?
No CVSS data available.
CWE
- CWE-834 - Excessive Iteration
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache PDFBox |
Affected:
Apache PDFBox , < 2.0.24
(custom)
|
Credits
Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:30.239Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[announce] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf251f6c358087107f8c23473468b279d59d50a75db6b4768165c78d3%40%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/06/12/1"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Updated] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Closed] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release17.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch trunk updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Created] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Commented] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release18.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "FEDORA-2021-4a9ead5fff",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV/"
},
{
"name": "FEDORA-2021-3d94c14be4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache PDFBox",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.24",
"status": "affected",
"version": "Apache PDFBox",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-834",
"description": "CWE-834 Excessive Iteration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:28:20",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[announce] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf251f6c358087107f8c23473468b279d59d50a75db6b4768165c78d3%40%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/06/12/1"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Updated] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Closed] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release17.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch trunk updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Created] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Commented] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release18.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "FEDORA-2021-4a9ead5fff",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV/"
},
{
"name": "FEDORA-2021-3d94c14be4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A carefully crafted PDF file can trigger an infinite loop while loading the file",
"workarounds": [
{
"lang": "en",
"value": "This issue was fixed in 2.0.24. All users are recommended to upgrade to Apache PDFBox 2.0.24"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-31812",
"STATE": "PUBLIC",
"TITLE": "A carefully crafted PDF file can trigger an infinite loop while loading the file"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache PDFBox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache PDFBox",
"version_value": "2.0.24"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-834 Excessive Iteration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e@%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[announce] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf251f6c358087107f8c23473468b279d59d50a75db6b4768165c78d3@%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/06/12/1"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Updated] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Closed] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release17.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch trunk updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Created] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Commented] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release18.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "FEDORA-2021-4a9ead5fff",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV/"
},
{
"name": "FEDORA-2021-3d94c14be4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "This issue was fixed in 2.0.24. All users are recommended to upgrade to Apache PDFBox 2.0.24"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-31812",
"datePublished": "2021-06-12T09:45:11",
"dateReserved": "2021-04-26T00:00:00",
"dateUpdated": "2024-08-03T23:10:30.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31811 (GCVE-0-2021-31811)
Vulnerability from nvd – Published: 2021-06-12 09:45 – Updated: 2024-08-03 23:10
VLAI?
Title
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file
Summary
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
Severity ?
No CVSS data available.
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache PDFBox |
Affected:
Apache PDFBox , < 2.0.24
(custom)
|
Credits
Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:30.183Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[announce] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf937c2236e6c79cdb99f76a70690dd345e53dbe0707cb506a202e43e%40%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/06/12/2"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Updated] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Closed] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release17.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch trunk updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Created] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Commented] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release18.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "FEDORA-2021-4a9ead5fff",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV/"
},
{
"name": "FEDORA-2021-3d94c14be4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache PDFBox",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.24",
"status": "affected",
"version": "Apache PDFBox",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:28:11",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[announce] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf937c2236e6c79cdb99f76a70690dd345e53dbe0707cb506a202e43e%40%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/06/12/2"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Updated] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Closed] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release17.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch trunk updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Created] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Commented] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release18.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "FEDORA-2021-4a9ead5fff",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV/"
},
{
"name": "FEDORA-2021-3d94c14be4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"source": {
"defect": [
"PDFBOX-5177"
],
"discovery": "UNKNOWN"
},
"title": "A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"workarounds": [
{
"lang": "en",
"value": "This issue was fixed in 2.0.24. All users are recommended to upgrade to Apache PDFBox 2.0.24"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-31811",
"STATE": "PUBLIC",
"TITLE": "A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache PDFBox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache PDFBox",
"version_value": "2.0.24"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-789: Memory Allocation with Excessive Size Value"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e@%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[announce] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf937c2236e6c79cdb99f76a70690dd345e53dbe0707cb506a202e43e@%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/06/12/2"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Updated] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Closed] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release17.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch trunk updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Created] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Commented] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release18.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "FEDORA-2021-4a9ead5fff",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV/"
},
{
"name": "FEDORA-2021-3d94c14be4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
},
"source": {
"defect": [
"PDFBOX-5177"
],
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "This issue was fixed in 2.0.24. All users are recommended to upgrade to Apache PDFBox 2.0.24"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-31811",
"datePublished": "2021-06-12T09:45:11",
"dateReserved": "2021-04-26T00:00:00",
"dateUpdated": "2024-08-03T23:10:30.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29505 (GCVE-0-2021-29505)
Vulnerability from nvd – Published: 2021-05-28 21:00 – Updated: 2025-05-29 23:30
VLAI?
Title
XStream is vulnerable to a Remote Command Execution attack
Summary
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:11:05.321Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f"
},
{
"name": "[jmeter-dev] 20210607 [GitHub] [jmeter] sseide opened a new pull request #667: update x-stream to 1.4.17 (from 1.4.16)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210705 [SECURITY] [DLA 2704-1] libxstream-java security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html"
},
{
"name": "FEDORA-2021-fbad11014a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"
},
{
"name": "FEDORA-2021-d894ca87dc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210708-0007/"
},
{
"name": "FEDORA-2021-5e376c0ed9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"
},
{
"name": "DSA-5004",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-5004"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xstream",
"vendor": "x-stream",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T23:30:31.977Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc"
},
{
"name": "https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f"
},
{
"name": "https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227"
},
{
"name": "https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E"
},
{
"name": "https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html"
},
{
"name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"
},
{
"name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"
},
{
"name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210708-0007",
"tags": [
"x_refsource_MISC"
],
"url": "https://security.netapp.com/advisory/ntap-20210708-0007"
},
{
"name": "https://www.debian.org/security/2021/dsa-5004",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.debian.org/security/2021/dsa-5004"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://x-stream.github.io/CVE-2021-29505.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://x-stream.github.io/CVE-2021-29505.html"
}
],
"source": {
"advisory": "GHSA-7chv-rrw6-w6fc",
"discovery": "UNKNOWN"
},
"title": "XStream is vulnerable to a Remote Command Execution attack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29505",
"datePublished": "2021-05-28T21:00:19",
"dateReserved": "2021-03-30T00:00:00",
"dateUpdated": "2025-05-29T23:30:31.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27906 (GCVE-0-2021-27906)
Vulnerability from nvd – Published: 2021-03-19 16:05 – Updated: 2025-02-13 16:27
VLAI?
Title
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file
Summary
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
Severity ?
No CVSS data available.
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache PDFBox |
Affected:
Apache PDFBox , ≤ 2.0.22
(custom)
|
Credits
Apache PDFBox would like to thank Fabian Meumertzheim for reporting this issue
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:16.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210319 CVE-2021-27906: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[oss-security] 20210319 CVE-2021-27906: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/19/10"
},
{
"name": "[announce] 20210320 CVE-2021-27906: Apache PDFBox: a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdf78aef4793362e778e21e34328b0456e302bde4b7e74f229df0ee04%40%3Cannounce.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210320 CVE-2021-27906: Apache PDFBox: a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r64982b768c8a2220b07aaf813bd099a9863de0d13eb212fd4efe208f%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch trunk updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Created] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Commented] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch release17.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Closed] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch release18.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[pdfbox-dev] 20210322 OSS-Fuzz integration",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50%40%3Cdev.pdfbox.apache.org%3E"
},
{
"name": "FEDORA-2021-93469e0030",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ/"
},
{
"name": "FEDORA-2021-8b17a2725e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4/"
},
{
"name": "FEDORA-2021-dc83ae690a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H/"
},
{
"name": "[ofbiz-notifications] 20210405 [jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[james-notifications] 20210501 [GitHub] [james-project] chibenwa opened a new pull request #414: [UPGRADE] Adopt Apache Tika 1.26",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b%40%3Cnotifications.james.apache.org%3E"
},
{
"name": "[pdfbox-dev] 20210518 CVE\u0027s",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8%40%3Cdev.pdfbox.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache PDFBox",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.0.22",
"status": "affected",
"version": "Apache PDFBox",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache PDFBox would like to thank Fabian Meumertzheim for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-03T21:34:45.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210319 CVE-2021-27906: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[oss-security] 20210319 CVE-2021-27906: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/19/10"
},
{
"name": "[announce] 20210320 CVE-2021-27906: Apache PDFBox: a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdf78aef4793362e778e21e34328b0456e302bde4b7e74f229df0ee04%40%3Cannounce.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210320 CVE-2021-27906: Apache PDFBox: a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r64982b768c8a2220b07aaf813bd099a9863de0d13eb212fd4efe208f%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch trunk updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Created] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Commented] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch release17.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Closed] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch release18.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[pdfbox-dev] 20210322 OSS-Fuzz integration",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50%40%3Cdev.pdfbox.apache.org%3E"
},
{
"name": "FEDORA-2021-93469e0030",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ/"
},
{
"name": "FEDORA-2021-8b17a2725e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4/"
},
{
"name": "FEDORA-2021-dc83ae690a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H/"
},
{
"name": "[ofbiz-notifications] 20210405 [jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[james-notifications] 20210501 [GitHub] [james-project] chibenwa opened a new pull request #414: [UPGRADE] Adopt Apache Tika 1.26",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b%40%3Cnotifications.james.apache.org%3E"
},
{
"name": "[pdfbox-dev] 20210518 CVE\u0027s",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8%40%3Cdev.pdfbox.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"source": {
"defect": [
"PDFBOX-5112"
],
"discovery": "UNKNOWN"
},
"title": "A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-27906",
"STATE": "PUBLIC",
"TITLE": "A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache PDFBox",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache PDFBox",
"version_value": "2.0.22"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache PDFBox would like to thank Fabian Meumertzheim for reporting this issue"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-789: Memory Allocation with Excessive Size Value"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210319 CVE-2021-27906: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd@%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[oss-security] 20210319 CVE-2021-27906: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/03/19/10"
},
{
"name": "[announce] 20210320 CVE-2021-27906: Apache PDFBox: a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdf78aef4793362e778e21e34328b0456e302bde4b7e74f229df0ee04@%3Cannounce.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210320 CVE-2021-27906: Apache PDFBox: a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r64982b768c8a2220b07aaf813bd099a9863de0d13eb212fd4efe208f@%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch trunk updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Created] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Commented] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch release17.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Closed] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch release18.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[pdfbox-dev] 20210322 OSS-Fuzz integration",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50@%3Cdev.pdfbox.apache.org%3E"
},
{
"name": "FEDORA-2021-93469e0030",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ/"
},
{
"name": "FEDORA-2021-8b17a2725e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4/"
},
{
"name": "FEDORA-2021-dc83ae690a",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H/"
},
{
"name": "[ofbiz-notifications] 20210405 [jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[james-notifications] 20210501 [GitHub] [james-project] chibenwa opened a new pull request #414: [UPGRADE] Adopt Apache Tika 1.26",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E"
},
{
"name": "[pdfbox-dev] 20210518 CVE\u0027s",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8@%3Cdev.pdfbox.apache.org%3E"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
},
"source": {
"defect": [
"PDFBOX-5112"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-27906",
"datePublished": "2021-03-19T16:05:21.000Z",
"dateReserved": "2021-03-02T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:27:57.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23337 (GCVE-0-2021-23337)
Vulnerability from nvd – Published: 2021-02-15 12:15 – Updated: 2024-09-16 19:15
VLAI?
Title
Command Injection
Summary
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Severity ?
CWE
- Command Injection
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Credits
Marc Hassan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.700Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Lodash",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "prior to 4.17.21"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Marc Hassan"
}
],
"datePublic": "2021-02-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"remediationLevel": "UNAVAILABLE",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 6.8,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Command Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-13T11:06:34",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"title": "Command Injection",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2021-02-15T12:13:18.729628Z",
"ID": "CVE-2021-23337",
"STATE": "PUBLIC",
"TITLE": "Command Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Lodash",
"version": {
"version_data": [
{
"version_value": "prior to 4.17.21"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Marc Hassan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932"
},
{
"name": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851",
"refsource": "MISC",
"url": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210312-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2021-23337",
"datePublished": "2021-02-15T12:15:14.715164Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T19:15:17.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-28500 (GCVE-0-2020-28500)
Vulnerability from nvd – Published: 2021-02-15 11:10 – Updated: 2024-09-16 22:15
VLAI?
Title
Regular Expression Denial of Service (ReDoS)
Summary
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Severity ?
5.3 (Medium)
CWE
- Regular Expression Denial of Service (ReDoS)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||
Credits
Liyuan Chen
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:40:59.899Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lodash/lodash/pull/5065"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Lodash",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "versions prior to 4.17.21"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Liyuan Chen"
}
],
"datePublic": "2021-02-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-13T11:06:20",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lodash/lodash/pull/5065"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"title": "Regular Expression Denial of Service (ReDoS)",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2021-02-15T11:10:02.896752Z",
"ID": "CVE-2020-28500",
"STATE": "PUBLIC",
"TITLE": "Regular Expression Denial of Service (ReDoS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Lodash",
"version": {
"version_data": [
{
"version_value": "versions prior to 4.17.21"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Liyuan Chen"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Regular Expression Denial of Service (ReDoS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896"
},
{
"name": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8",
"refsource": "MISC",
"url": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8"
},
{
"name": "https://github.com/lodash/lodash/pull/5065",
"refsource": "MISC",
"url": "https://github.com/lodash/lodash/pull/5065"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210312-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2020-28500",
"datePublished": "2021-02-15T11:10:16.225227Z",
"dateReserved": "2020-11-12T00:00:00",
"dateUpdated": "2024-09-16T22:15:52.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36183 (GCVE-0-2020-36183)
Vulnerability from nvd – Published: 2021-01-06 22:30 – Updated: 2024-08-04 17:23
VLAI?
Summary
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3003"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:21:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3003"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36183",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/3003",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/3003"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36183",
"datePublished": "2021-01-06T22:30:15",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36182 (GCVE-0-2020-36182)
Vulnerability from nvd – Published: 2021-01-06 22:30 – Updated: 2024-08-04 17:23
VLAI?
Summary
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jackson-databind",
"vendor": "fasterxml",
"versions": [
{
"lessThan": "2.9.10.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "debian_linux",
"vendor": "debian",
"versions": [
{
"status": "affected",
"version": "8.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "steelstore_cloud_integrated_storage",
"vendor": "netapp",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "agile_plm",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "9.3.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autovue_for_agile_product_lifecycle_management",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "21.0.2"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "banking_digital_experience",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "18.3",
"status": "affected",
"version": "18.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.2",
"status": "affected",
"version": "19.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "20.1"
},
{
"lessThanOrEqual": "2.9.0",
"status": "affected",
"version": "2.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_calendar_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.0.5.0",
"status": "affected",
"version": "8.0.0.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_diameter_signaling_router",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_element_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_evolved_communications_application_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "7.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_instant_messaging_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "10.0.1.4.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "6.0.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_session_route_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "enterprise_manager_base_platform",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "13.4.0.0",
"status": "affected",
"version": "13.3.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_analytical_applications_infrastructure",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_institutional_performance_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
},
{
"status": "affected",
"version": "8.0.7"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_price_creation_and_discovery",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.7",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_retail_customer_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "global_lifecycle_management_opatch",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.0.1.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "insurance_policy_administration_j2ee",
"vendor": "oracle",
"versions": [
{
"lessThan": "11.1.0.15",
"status": "affected",
"version": "11.0.2.25",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jd_edwards_enterpriseone_orchestrator",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "9.2.4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "primavera_unifier",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "16.1"
},
{
"status": "affected",
"version": "16.2"
},
{
"lessThanOrEqual": "17.12",
"status": "affected",
"version": "17.7",
"versionType": "custom"
},
{
"status": "affected",
"version": "18.8"
},
{
"status": "affected",
"version": "19.12"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_merchandising_system",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "15.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_sales_audit",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_service_backbone",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
},
{
"status": "affected",
"version": "15.0"
},
{
"status": "affected",
"version": "16.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_xstore_point_of_service",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "19.0",
"status": "affected",
"version": "15.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "weblogic_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.1.4.0",
"status": "affected",
"version": "12.2.1.3.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-36182",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-25T04:00:52.974482Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:12:28.014Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.677Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:20:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36182",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/3004",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36182",
"datePublished": "2021-01-06T22:30:22",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36180 (GCVE-0-2020-36180)
Vulnerability from nvd – Published: 2021-01-06 22:30 – Updated: 2024-08-04 17:23
VLAI?
Summary
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jackson-databind",
"vendor": "fasterxml",
"versions": [
{
"lessThan": "2.9.10.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "debian_linux",
"vendor": "debian",
"versions": [
{
"status": "affected",
"version": "8.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "steelstore_cloud_integrated_storage",
"vendor": "netapp",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "agile_plm",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "9.3.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autovue_for_agile_product_lifecycle_management",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "21.0.2"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "banking_digital_experience",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "18.3",
"status": "affected",
"version": "18.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.2",
"status": "affected",
"version": "19.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "20.1"
},
{
"lessThanOrEqual": "2.9.0",
"status": "affected",
"version": "2.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_calendar_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.0.5.0",
"status": "affected",
"version": "8.0.0.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_diameter_signaling_router",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_element_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_evolved_communications_application_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "7.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_instant_messaging_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "10.0.1.4.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "6.0.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_session_route_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "enterprise_manager_base_platform",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "13.4.0.0",
"status": "affected",
"version": "13.3.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_analytical_applications_infrastructure",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_institutional_performance_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
},
{
"status": "affected",
"version": "8.0.7"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_price_creation_and_discovery",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.7",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_retail_customer_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "global_lifecycle_management_opatch",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.0.1.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "insurance_policy_administration_j2ee",
"vendor": "oracle",
"versions": [
{
"lessThan": "11.1.0.15",
"status": "affected",
"version": "11.0.2.25",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jd_edwards_enterpriseone_orchestrator",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "9.2.4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "primavera_unifier",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "16.1"
},
{
"status": "affected",
"version": "16.2"
},
{
"lessThanOrEqual": "17.12",
"status": "affected",
"version": "17.7",
"versionType": "custom"
},
{
"status": "affected",
"version": "18.8"
},
{
"status": "affected",
"version": "19.12"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_merchandising_system",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "15.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_sales_audit",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_service_backbone",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
},
{
"status": "affected",
"version": "15.0"
},
{
"status": "affected",
"version": "16.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_xstore_point_of_service",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "19.0",
"status": "affected",
"version": "15.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "weblogic_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.1.4.0",
"status": "affected",
"version": "12.2.1.3.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-36180",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-25T04:00:49.885173Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:12:24.082Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.529Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:20:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36180",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/3004",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36180",
"datePublished": "2021-01-06T22:30:31",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36179 (GCVE-0-2020-36179)
Vulnerability from nvd – Published: 2021-01-06 22:30 – Updated: 2024-08-04 17:23
VLAI?
Summary
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jackson-databind",
"vendor": "fasterxml",
"versions": [
{
"lessThan": "2.9.10.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "debian_linux",
"vendor": "debian",
"versions": [
{
"status": "affected",
"version": "8.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "steelstore_cloud_integrated_storage",
"vendor": "netapp",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "agile_plm",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "9.3.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autovue_for_agile_product_lifecycle_management",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "21.0.2"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "banking_digital_experience",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "18.3",
"status": "affected",
"version": "18.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.2",
"status": "affected",
"version": "19.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "20.1"
},
{
"lessThanOrEqual": "2.9.0",
"status": "affected",
"version": "2.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_calendar_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.0.5.0",
"status": "affected",
"version": "8.0.0.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_diameter_signaling_router",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_element_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_evolved_communications_application_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "7.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_instant_messaging_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "10.0.1.4.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "6.0.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_session_route_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "enterprise_manager_base_platform",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "13.4.0.0",
"status": "affected",
"version": "13.3.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_analytical_applications_infrastructure",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_institutional_performance_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
},
{
"status": "affected",
"version": "8.0.7"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_price_creation_and_discovery",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.7",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_retail_customer_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "global_lifecycle_management_opatch",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.0.1.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "insurance_policy_administration_j2ee",
"vendor": "oracle",
"versions": [
{
"lessThan": "11.1.0.15",
"status": "affected",
"version": "11.0.2.25",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jd_edwards_enterpriseone_orchestrator",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "9.2.4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "primavera_unifier",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "16.1"
},
{
"status": "affected",
"version": "16.2"
},
{
"lessThanOrEqual": "17.12",
"status": "affected",
"version": "17.7",
"versionType": "custom"
},
{
"status": "affected",
"version": "18.8"
},
{
"status": "affected",
"version": "19.12"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_merchandising_system",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "15.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_sales_audit",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_service_backbone",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
},
{
"status": "affected",
"version": "15.0"
},
{
"status": "affected",
"version": "16.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_xstore_point_of_service",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "19.0",
"status": "affected",
"version": "15.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "weblogic_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.1.4.0",
"status": "affected",
"version": "12.2.1.3.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-36179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-25T04:00:53.989419Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:12:24.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.285Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[spark-issues] 20210115 [jira] [Created] (SPARK-34124) Upgrade jackson version to fix CVE-2020-36179 in Spark 2.4",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:20:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[spark-issues] 20210115 [jira] [Created] (SPARK-34124) Upgrade jackson version to fix CVE-2020-36179 in Spark 2.4",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36179",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/3004",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[spark-issues] 20210115 [jira] [Created] (SPARK-34124) Upgrade jackson version to fix CVE-2020-36179 in Spark 2.4",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436@%3Cissues.spark.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36179",
"datePublished": "2021-01-06T22:30:38",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36188 (GCVE-0-2020-36188)
Vulnerability from nvd – Published: 2021-01-06 22:29 – Updated: 2024-08-04 17:23
VLAI?
Summary
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.309Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2996"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:22:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2996"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36188",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/2996",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/2996"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36188",
"datePublished": "2021-01-06T22:29:36",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.309Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36187 (GCVE-0-2020-36187)
Vulnerability from nvd – Published: 2021-01-06 22:29 – Updated: 2024-08-04 17:23
VLAI?
Summary
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.266Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2997"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:21:52",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2997"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36187",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/2997",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/2997"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36187",
"datePublished": "2021-01-06T22:29:44",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36186 (GCVE-0-2020-36186)
Vulnerability from nvd – Published: 2021-01-06 22:29 – Updated: 2024-08-04 17:23
VLAI?
Summary
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.443Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2997"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:21:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2997"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36186",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/2997",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/2997"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36186",
"datePublished": "2021-01-06T22:29:51",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36185 (GCVE-0-2020-36185)
Vulnerability from nvd – Published: 2021-01-06 22:29 – Updated: 2024-08-04 17:23
VLAI?
Summary
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.472Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2998"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:21:28",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2998"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36185",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/2998",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/2998"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36185",
"datePublished": "2021-01-06T22:29:59",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36184 (GCVE-0-2020-36184)
Vulnerability from nvd – Published: 2021-01-06 22:30 – Updated: 2024-08-04 17:23
VLAI?
Summary
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jackson-databind",
"vendor": "fasterxml",
"versions": [
{
"lessThan": "2.9.10.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "debian_linux",
"vendor": "debian",
"versions": [
{
"status": "affected",
"version": "8.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "steelstore_cloud_integrated_storage",
"vendor": "netapp",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "agile_plm",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "9.3.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autovue_for_agile_product_lifecycle_management",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "21.0.2"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "banking_digital_experience",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "18.3",
"status": "affected",
"version": "18.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.2",
"status": "affected",
"version": "19.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "20.1"
},
{
"lessThanOrEqual": "2.9.0",
"status": "affected",
"version": "2.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_calendar_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.0.5.0",
"status": "affected",
"version": "8.0.0.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_diameter_signaling_router",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_element_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_evolved_communications_application_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "7.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_instant_messaging_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "10.0.1.4.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "6.0.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_session_route_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "enterprise_manager_base_platform",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "13.4.0.0",
"status": "affected",
"version": "13.3.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_analytical_applications_infrastructure",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_institutional_performance_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
},
{
"status": "affected",
"version": "8.0.7"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_price_creation_and_discovery",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.7",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_retail_customer_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "global_lifecycle_management_opatch",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.0.1.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "insurance_policy_administration_j2ee",
"vendor": "oracle",
"versions": [
{
"lessThan": "11.1.0.15",
"status": "affected",
"version": "11.0.2.25",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jd_edwards_enterpriseone_orchestrator",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "9.2.4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "primavera_unifier",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "16.1"
},
{
"status": "affected",
"version": "16.2"
},
{
"lessThanOrEqual": "17.12",
"status": "affected",
"version": "17.7",
"versionType": "custom"
},
{
"status": "affected",
"version": "18.8"
},
{
"status": "affected",
"version": "19.12"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_merchandising_system",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "15.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_sales_audit",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_service_backbone",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
},
{
"status": "affected",
"version": "15.0"
},
{
"status": "affected",
"version": "16.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_xstore_point_of_service",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "19.0",
"status": "affected",
"version": "15.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "weblogic_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.1.4.0",
"status": "affected",
"version": "12.2.1.3.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-36184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-25T04:00:50.943406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:12:27.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.423Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2998"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:21:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2998"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36184",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/2998",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/2998"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36184",
"datePublished": "2021-01-06T22:30:07",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36181 (GCVE-0-2020-36181)
Vulnerability from nvd – Published: 2021-01-06 22:29 – Updated: 2024-08-04 17:23
VLAI?
Summary
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "debian_linux",
"vendor": "debian",
"versions": [
{
"status": "affected",
"version": "8.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "steelstore_cloud_integrated_storage",
"vendor": "netapp",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "agile_plm",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "9.3.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autovue_for_agile_product_lifecycle_management",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "21.0.2"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "banking_digital_experience",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "18.3",
"status": "affected",
"version": "18.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.2",
"status": "affected",
"version": "19.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "20.1"
},
{
"lessThanOrEqual": "2.9.0",
"status": "affected",
"version": "2.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_calendar_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.0.5.0",
"status": "affected",
"version": "8.0.0.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_diameter_signaling_router",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_element_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_evolved_communications_application_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "7.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_instant_messaging_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "10.0.1.4.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "6.0.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_session_route_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "enterprise_manager_base_platform",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "13.4.0.0",
"status": "affected",
"version": "13.3.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_analytical_applications_infrastructure",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_institutional_performance_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
},
{
"status": "affected",
"version": "8.0.7"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_price_creation_and_discovery",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.7",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_retail_customer_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "global_lifecycle_management_opatch",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.0.1.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "insurance_policy_administration_j2ee",
"vendor": "oracle",
"versions": [
{
"lessThan": "11.1.0.15",
"status": "affected",
"version": "11.0.2.25",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jd_edwards_enterpriseone_orchestrator",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "9.2.4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "primavera_unifier",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "16.1"
},
{
"status": "affected",
"version": "16.2"
},
{
"lessThanOrEqual": "17.12",
"status": "affected",
"version": "17.7",
"versionType": "custom"
},
{
"status": "affected",
"version": "18.8"
},
{
"status": "affected",
"version": "19.12"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_merchandising_system",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "15.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_sales_audit",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_service_backbone",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
},
{
"status": "affected",
"version": "15.0"
},
{
"status": "affected",
"version": "16.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_xstore_point_of_service",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "19.0",
"status": "affected",
"version": "15.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "weblogic_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.1.4.0",
"status": "affected",
"version": "12.2.1.3.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:fasterxml:jackson-databind:2.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jackson-databind",
"vendor": "fasterxml",
"versions": [
{
"lessThan": "2.9.10.8",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-36181",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-25T04:00:51.951666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T19:56:26.103Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.306Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:20:40",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36181",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/3004",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36181",
"datePublished": "2021-01-06T22:29:19",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22963 (GCVE-0-2022-22963)
Vulnerability from cvelistv5 – Published: 2022-04-01 00:00 – Updated: 2025-10-21 23:15
VLAI?
Summary
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Severity ?
9.8 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Spring Cloud Function |
Affected:
Spring Cloud Function versions 3.1.6, 3.2.2 and all old and unsupported versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:42.845Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2022-22963"
},
{
"name": "20220401 Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-22963",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T17:53:06.523275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-08-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22963"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:15:42.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22963"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-08-25T00:00:00+00:00",
"value": "CVE-2022-22963 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Spring Cloud Function",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Spring Cloud Function versions 3.1.6, 3.2.2 and all old and unsupported versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-13T00:00:00.000Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://tanzu.vmware.com/security/cve-2022-22963"
},
{
"name": "20220401 Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022",
"tags": [
"vendor-advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"url": "http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-22963",
"datePublished": "2022-04-01T00:00:00.000Z",
"dateReserved": "2022-01-10T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:15:42.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31811 (GCVE-0-2021-31811)
Vulnerability from cvelistv5 – Published: 2021-06-12 09:45 – Updated: 2024-08-03 23:10
VLAI?
Title
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file
Summary
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
Severity ?
No CVSS data available.
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache PDFBox |
Affected:
Apache PDFBox , < 2.0.24
(custom)
|
Credits
Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:30.183Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[announce] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf937c2236e6c79cdb99f76a70690dd345e53dbe0707cb506a202e43e%40%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/06/12/2"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Updated] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Closed] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release17.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch trunk updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Created] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Commented] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release18.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "FEDORA-2021-4a9ead5fff",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV/"
},
{
"name": "FEDORA-2021-3d94c14be4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache PDFBox",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.24",
"status": "affected",
"version": "Apache PDFBox",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:28:11",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[announce] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf937c2236e6c79cdb99f76a70690dd345e53dbe0707cb506a202e43e%40%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/06/12/2"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Updated] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Closed] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release17.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch trunk updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Created] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Commented] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release18.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "FEDORA-2021-4a9ead5fff",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV/"
},
{
"name": "FEDORA-2021-3d94c14be4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"source": {
"defect": [
"PDFBOX-5177"
],
"discovery": "UNKNOWN"
},
"title": "A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"workarounds": [
{
"lang": "en",
"value": "This issue was fixed in 2.0.24. All users are recommended to upgrade to Apache PDFBox 2.0.24"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-31811",
"STATE": "PUBLIC",
"TITLE": "A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache PDFBox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache PDFBox",
"version_value": "2.0.24"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-789: Memory Allocation with Excessive Size Value"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e@%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[announce] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf937c2236e6c79cdb99f76a70690dd345e53dbe0707cb506a202e43e@%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210612 CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/06/12/2"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Updated] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Closed] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release17.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch trunk updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Created] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Commented] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release18.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "FEDORA-2021-4a9ead5fff",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV/"
},
{
"name": "FEDORA-2021-3d94c14be4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
},
"source": {
"defect": [
"PDFBOX-5177"
],
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "This issue was fixed in 2.0.24. All users are recommended to upgrade to Apache PDFBox 2.0.24"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-31811",
"datePublished": "2021-06-12T09:45:11",
"dateReserved": "2021-04-26T00:00:00",
"dateUpdated": "2024-08-03T23:10:30.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31812 (GCVE-0-2021-31812)
Vulnerability from cvelistv5 – Published: 2021-06-12 09:45 – Updated: 2024-08-03 23:10
VLAI?
Title
A carefully crafted PDF file can trigger an infinite loop while loading the file
Summary
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
Severity ?
No CVSS data available.
CWE
- CWE-834 - Excessive Iteration
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache PDFBox |
Affected:
Apache PDFBox , < 2.0.24
(custom)
|
Credits
Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:30.239Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[announce] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf251f6c358087107f8c23473468b279d59d50a75db6b4768165c78d3%40%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/06/12/1"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Updated] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Closed] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release17.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch trunk updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Created] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Commented] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release18.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "FEDORA-2021-4a9ead5fff",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV/"
},
{
"name": "FEDORA-2021-3d94c14be4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache PDFBox",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.24",
"status": "affected",
"version": "Apache PDFBox",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-834",
"description": "CWE-834 Excessive Iteration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:28:20",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[announce] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf251f6c358087107f8c23473468b279d59d50a75db6b4768165c78d3%40%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/06/12/1"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Updated] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Closed] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release17.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch trunk updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Created] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Commented] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release18.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "FEDORA-2021-4a9ead5fff",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV/"
},
{
"name": "FEDORA-2021-3d94c14be4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A carefully crafted PDF file can trigger an infinite loop while loading the file",
"workarounds": [
{
"lang": "en",
"value": "This issue was fixed in 2.0.24. All users are recommended to upgrade to Apache PDFBox 2.0.24"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-31812",
"STATE": "PUBLIC",
"TITLE": "A carefully crafted PDF file can trigger an infinite loop while loading the file"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache PDFBox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache PDFBox",
"version_value": "2.0.24"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-834 Excessive Iteration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e@%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[announce] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf251f6c358087107f8c23473468b279d59d50a75db6b4768165c78d3@%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210612 CVE-2021-31812: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/06/12/1"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Updated] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Closed] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release17.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch trunk updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Created] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210613 [jira] [Commented] (OFBIZ-12256) Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210613 [ofbiz-framework] branch release18.12 updated: Fixed: Update PDFBox to 2.0.24 because of CVE-2021-31811 \u0026 CVE-2021-31812 (OFBIZ-12256)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "FEDORA-2021-4a9ead5fff",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV/"
},
{
"name": "FEDORA-2021-3d94c14be4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "This issue was fixed in 2.0.24. All users are recommended to upgrade to Apache PDFBox 2.0.24"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-31812",
"datePublished": "2021-06-12T09:45:11",
"dateReserved": "2021-04-26T00:00:00",
"dateUpdated": "2024-08-03T23:10:30.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29505 (GCVE-0-2021-29505)
Vulnerability from cvelistv5 – Published: 2021-05-28 21:00 – Updated: 2025-05-29 23:30
VLAI?
Title
XStream is vulnerable to a Remote Command Execution attack
Summary
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:11:05.321Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f"
},
{
"name": "[jmeter-dev] 20210607 [GitHub] [jmeter] sseide opened a new pull request #667: update x-stream to 1.4.17 (from 1.4.16)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210705 [SECURITY] [DLA 2704-1] libxstream-java security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html"
},
{
"name": "FEDORA-2021-fbad11014a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"
},
{
"name": "FEDORA-2021-d894ca87dc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210708-0007/"
},
{
"name": "FEDORA-2021-5e376c0ed9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"
},
{
"name": "DSA-5004",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-5004"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xstream",
"vendor": "x-stream",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T23:30:31.977Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc"
},
{
"name": "https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f"
},
{
"name": "https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227"
},
{
"name": "https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E"
},
{
"name": "https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html"
},
{
"name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"
},
{
"name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"
},
{
"name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB",
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210708-0007",
"tags": [
"x_refsource_MISC"
],
"url": "https://security.netapp.com/advisory/ntap-20210708-0007"
},
{
"name": "https://www.debian.org/security/2021/dsa-5004",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.debian.org/security/2021/dsa-5004"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://x-stream.github.io/CVE-2021-29505.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://x-stream.github.io/CVE-2021-29505.html"
}
],
"source": {
"advisory": "GHSA-7chv-rrw6-w6fc",
"discovery": "UNKNOWN"
},
"title": "XStream is vulnerable to a Remote Command Execution attack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29505",
"datePublished": "2021-05-28T21:00:19",
"dateReserved": "2021-03-30T00:00:00",
"dateUpdated": "2025-05-29T23:30:31.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27906 (GCVE-0-2021-27906)
Vulnerability from cvelistv5 – Published: 2021-03-19 16:05 – Updated: 2025-02-13 16:27
VLAI?
Title
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file
Summary
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
Severity ?
No CVSS data available.
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache PDFBox |
Affected:
Apache PDFBox , ≤ 2.0.22
(custom)
|
Credits
Apache PDFBox would like to thank Fabian Meumertzheim for reporting this issue
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:16.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210319 CVE-2021-27906: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[oss-security] 20210319 CVE-2021-27906: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/19/10"
},
{
"name": "[announce] 20210320 CVE-2021-27906: Apache PDFBox: a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdf78aef4793362e778e21e34328b0456e302bde4b7e74f229df0ee04%40%3Cannounce.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210320 CVE-2021-27906: Apache PDFBox: a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r64982b768c8a2220b07aaf813bd099a9863de0d13eb212fd4efe208f%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch trunk updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Created] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Commented] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch release17.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Closed] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch release18.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[pdfbox-dev] 20210322 OSS-Fuzz integration",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50%40%3Cdev.pdfbox.apache.org%3E"
},
{
"name": "FEDORA-2021-93469e0030",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ/"
},
{
"name": "FEDORA-2021-8b17a2725e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4/"
},
{
"name": "FEDORA-2021-dc83ae690a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H/"
},
{
"name": "[ofbiz-notifications] 20210405 [jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[james-notifications] 20210501 [GitHub] [james-project] chibenwa opened a new pull request #414: [UPGRADE] Adopt Apache Tika 1.26",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b%40%3Cnotifications.james.apache.org%3E"
},
{
"name": "[pdfbox-dev] 20210518 CVE\u0027s",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8%40%3Cdev.pdfbox.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache PDFBox",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.0.22",
"status": "affected",
"version": "Apache PDFBox",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache PDFBox would like to thank Fabian Meumertzheim for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-03T21:34:45.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210319 CVE-2021-27906: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[oss-security] 20210319 CVE-2021-27906: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/19/10"
},
{
"name": "[announce] 20210320 CVE-2021-27906: Apache PDFBox: a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdf78aef4793362e778e21e34328b0456e302bde4b7e74f229df0ee04%40%3Cannounce.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210320 CVE-2021-27906: Apache PDFBox: a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r64982b768c8a2220b07aaf813bd099a9863de0d13eb212fd4efe208f%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch trunk updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Created] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Commented] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch release17.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Closed] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch release18.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac%40%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[pdfbox-dev] 20210322 OSS-Fuzz integration",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50%40%3Cdev.pdfbox.apache.org%3E"
},
{
"name": "FEDORA-2021-93469e0030",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ/"
},
{
"name": "FEDORA-2021-8b17a2725e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4/"
},
{
"name": "FEDORA-2021-dc83ae690a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H/"
},
{
"name": "[ofbiz-notifications] 20210405 [jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12%40%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[james-notifications] 20210501 [GitHub] [james-project] chibenwa opened a new pull request #414: [UPGRADE] Adopt Apache Tika 1.26",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b%40%3Cnotifications.james.apache.org%3E"
},
{
"name": "[pdfbox-dev] 20210518 CVE\u0027s",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8%40%3Cdev.pdfbox.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"source": {
"defect": [
"PDFBOX-5112"
],
"discovery": "UNKNOWN"
},
"title": "A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-27906",
"STATE": "PUBLIC",
"TITLE": "A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache PDFBox",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache PDFBox",
"version_value": "2.0.22"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache PDFBox would like to thank Fabian Meumertzheim for reporting this issue"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-789: Memory Allocation with Excessive Size Value"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210319 CVE-2021-27906: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd@%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[oss-security] 20210319 CVE-2021-27906: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/03/19/10"
},
{
"name": "[announce] 20210320 CVE-2021-27906: Apache PDFBox: a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdf78aef4793362e778e21e34328b0456e302bde4b7e74f229df0ee04@%3Cannounce.apache.org%3E"
},
{
"name": "[pdfbox-users] 20210320 CVE-2021-27906: Apache PDFBox: a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r64982b768c8a2220b07aaf813bd099a9863de0d13eb212fd4efe208f@%3Cusers.pdfbox.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch trunk updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Created] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Commented] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch release17.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-notifications] 20210321 [jira] [Closed] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[ofbiz-commits] 20210321 [ofbiz-framework] branch release18.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac@%3Ccommits.ofbiz.apache.org%3E"
},
{
"name": "[pdfbox-dev] 20210322 OSS-Fuzz integration",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50@%3Cdev.pdfbox.apache.org%3E"
},
{
"name": "FEDORA-2021-93469e0030",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ/"
},
{
"name": "FEDORA-2021-8b17a2725e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4/"
},
{
"name": "FEDORA-2021-dc83ae690a",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H/"
},
{
"name": "[ofbiz-notifications] 20210405 [jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12@%3Cnotifications.ofbiz.apache.org%3E"
},
{
"name": "[james-notifications] 20210501 [GitHub] [james-project] chibenwa opened a new pull request #414: [UPGRADE] Adopt Apache Tika 1.26",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E"
},
{
"name": "[pdfbox-dev] 20210518 CVE\u0027s",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8@%3Cdev.pdfbox.apache.org%3E"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
},
"source": {
"defect": [
"PDFBOX-5112"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-27906",
"datePublished": "2021-03-19T16:05:21.000Z",
"dateReserved": "2021-03-02T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:27:57.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23337 (GCVE-0-2021-23337)
Vulnerability from cvelistv5 – Published: 2021-02-15 12:15 – Updated: 2024-09-16 19:15
VLAI?
Title
Command Injection
Summary
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Severity ?
CWE
- Command Injection
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Credits
Marc Hassan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:55.700Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Lodash",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "prior to 4.17.21"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Marc Hassan"
}
],
"datePublic": "2021-02-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"remediationLevel": "UNAVAILABLE",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 6.8,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Command Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-13T11:06:34",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"title": "Command Injection",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2021-02-15T12:13:18.729628Z",
"ID": "CVE-2021-23337",
"STATE": "PUBLIC",
"TITLE": "Command Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Lodash",
"version": {
"version_data": [
{
"version_value": "prior to 4.17.21"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Marc Hassan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932"
},
{
"name": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851",
"refsource": "MISC",
"url": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210312-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2021-23337",
"datePublished": "2021-02-15T12:15:14.715164Z",
"dateReserved": "2021-01-08T00:00:00",
"dateUpdated": "2024-09-16T19:15:17.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-28500 (GCVE-0-2020-28500)
Vulnerability from cvelistv5 – Published: 2021-02-15 11:10 – Updated: 2024-09-16 22:15
VLAI?
Title
Regular Expression Denial of Service (ReDoS)
Summary
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Severity ?
5.3 (Medium)
CWE
- Regular Expression Denial of Service (ReDoS)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||
Credits
Liyuan Chen
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:40:59.899Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lodash/lodash/pull/5065"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Lodash",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "versions prior to 4.17.21"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Liyuan Chen"
}
],
"datePublic": "2021-02-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-13T11:06:20",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lodash/lodash/pull/5065"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"title": "Regular Expression Denial of Service (ReDoS)",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2021-02-15T11:10:02.896752Z",
"ID": "CVE-2020-28500",
"STATE": "PUBLIC",
"TITLE": "Regular Expression Denial of Service (ReDoS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Lodash",
"version": {
"version_data": [
{
"version_value": "versions prior to 4.17.21"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Liyuan Chen"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Regular Expression Denial of Service (ReDoS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896"
},
{
"name": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8",
"refsource": "MISC",
"url": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8"
},
{
"name": "https://github.com/lodash/lodash/pull/5065",
"refsource": "MISC",
"url": "https://github.com/lodash/lodash/pull/5065"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210312-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210312-0006/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2020-28500",
"datePublished": "2021-02-15T11:10:16.225227Z",
"dateReserved": "2020-11-12T00:00:00",
"dateUpdated": "2024-09-16T22:15:52.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36179 (GCVE-0-2020-36179)
Vulnerability from cvelistv5 – Published: 2021-01-06 22:30 – Updated: 2024-08-04 17:23
VLAI?
Summary
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jackson-databind",
"vendor": "fasterxml",
"versions": [
{
"lessThan": "2.9.10.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "debian_linux",
"vendor": "debian",
"versions": [
{
"status": "affected",
"version": "8.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "steelstore_cloud_integrated_storage",
"vendor": "netapp",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "agile_plm",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "9.3.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autovue_for_agile_product_lifecycle_management",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "21.0.2"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "banking_digital_experience",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "18.3",
"status": "affected",
"version": "18.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.2",
"status": "affected",
"version": "19.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "20.1"
},
{
"lessThanOrEqual": "2.9.0",
"status": "affected",
"version": "2.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_calendar_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.0.5.0",
"status": "affected",
"version": "8.0.0.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_diameter_signaling_router",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_element_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_evolved_communications_application_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "7.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_instant_messaging_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "10.0.1.4.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "6.0.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_session_route_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "enterprise_manager_base_platform",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "13.4.0.0",
"status": "affected",
"version": "13.3.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_analytical_applications_infrastructure",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_institutional_performance_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
},
{
"status": "affected",
"version": "8.0.7"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_price_creation_and_discovery",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.7",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_retail_customer_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "global_lifecycle_management_opatch",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.0.1.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "insurance_policy_administration_j2ee",
"vendor": "oracle",
"versions": [
{
"lessThan": "11.1.0.15",
"status": "affected",
"version": "11.0.2.25",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jd_edwards_enterpriseone_orchestrator",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "9.2.4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "primavera_unifier",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "16.1"
},
{
"status": "affected",
"version": "16.2"
},
{
"lessThanOrEqual": "17.12",
"status": "affected",
"version": "17.7",
"versionType": "custom"
},
{
"status": "affected",
"version": "18.8"
},
{
"status": "affected",
"version": "19.12"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_merchandising_system",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "15.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_sales_audit",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_service_backbone",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
},
{
"status": "affected",
"version": "15.0"
},
{
"status": "affected",
"version": "16.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_xstore_point_of_service",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "19.0",
"status": "affected",
"version": "15.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "weblogic_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.1.4.0",
"status": "affected",
"version": "12.2.1.3.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-36179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-25T04:00:53.989419Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:12:24.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.285Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[spark-issues] 20210115 [jira] [Created] (SPARK-34124) Upgrade jackson version to fix CVE-2020-36179 in Spark 2.4",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:20:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[spark-issues] 20210115 [jira] [Created] (SPARK-34124) Upgrade jackson version to fix CVE-2020-36179 in Spark 2.4",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36179",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/3004",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[spark-issues] 20210115 [jira] [Created] (SPARK-34124) Upgrade jackson version to fix CVE-2020-36179 in Spark 2.4",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436@%3Cissues.spark.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36179",
"datePublished": "2021-01-06T22:30:38",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36180 (GCVE-0-2020-36180)
Vulnerability from cvelistv5 – Published: 2021-01-06 22:30 – Updated: 2024-08-04 17:23
VLAI?
Summary
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jackson-databind",
"vendor": "fasterxml",
"versions": [
{
"lessThan": "2.9.10.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "debian_linux",
"vendor": "debian",
"versions": [
{
"status": "affected",
"version": "8.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "steelstore_cloud_integrated_storage",
"vendor": "netapp",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "agile_plm",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "9.3.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autovue_for_agile_product_lifecycle_management",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "21.0.2"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "banking_digital_experience",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "18.3",
"status": "affected",
"version": "18.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.2",
"status": "affected",
"version": "19.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "20.1"
},
{
"lessThanOrEqual": "2.9.0",
"status": "affected",
"version": "2.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_calendar_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.0.5.0",
"status": "affected",
"version": "8.0.0.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_diameter_signaling_router",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_element_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_evolved_communications_application_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "7.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_instant_messaging_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "10.0.1.4.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "6.0.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_session_route_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "enterprise_manager_base_platform",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "13.4.0.0",
"status": "affected",
"version": "13.3.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_analytical_applications_infrastructure",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_institutional_performance_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
},
{
"status": "affected",
"version": "8.0.7"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_price_creation_and_discovery",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.7",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_retail_customer_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "global_lifecycle_management_opatch",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.0.1.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "insurance_policy_administration_j2ee",
"vendor": "oracle",
"versions": [
{
"lessThan": "11.1.0.15",
"status": "affected",
"version": "11.0.2.25",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jd_edwards_enterpriseone_orchestrator",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "9.2.4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "primavera_unifier",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "16.1"
},
{
"status": "affected",
"version": "16.2"
},
{
"lessThanOrEqual": "17.12",
"status": "affected",
"version": "17.7",
"versionType": "custom"
},
{
"status": "affected",
"version": "18.8"
},
{
"status": "affected",
"version": "19.12"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_merchandising_system",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "15.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_sales_audit",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_service_backbone",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
},
{
"status": "affected",
"version": "15.0"
},
{
"status": "affected",
"version": "16.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_xstore_point_of_service",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "19.0",
"status": "affected",
"version": "15.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "weblogic_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.1.4.0",
"status": "affected",
"version": "12.2.1.3.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-36180",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-25T04:00:49.885173Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:12:24.082Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.529Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:20:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36180",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/3004",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36180",
"datePublished": "2021-01-06T22:30:31",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36182 (GCVE-0-2020-36182)
Vulnerability from cvelistv5 – Published: 2021-01-06 22:30 – Updated: 2024-08-04 17:23
VLAI?
Summary
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jackson-databind",
"vendor": "fasterxml",
"versions": [
{
"lessThan": "2.9.10.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "debian_linux",
"vendor": "debian",
"versions": [
{
"status": "affected",
"version": "8.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "steelstore_cloud_integrated_storage",
"vendor": "netapp",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "agile_plm",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "9.3.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autovue_for_agile_product_lifecycle_management",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "21.0.2"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "banking_digital_experience",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "18.3",
"status": "affected",
"version": "18.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.2",
"status": "affected",
"version": "19.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "20.1"
},
{
"lessThanOrEqual": "2.9.0",
"status": "affected",
"version": "2.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_calendar_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.0.5.0",
"status": "affected",
"version": "8.0.0.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_diameter_signaling_router",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_element_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_evolved_communications_application_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "7.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_instant_messaging_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "10.0.1.4.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "6.0.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_session_route_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "enterprise_manager_base_platform",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "13.4.0.0",
"status": "affected",
"version": "13.3.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_analytical_applications_infrastructure",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_institutional_performance_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
},
{
"status": "affected",
"version": "8.0.7"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_price_creation_and_discovery",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.7",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_retail_customer_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "global_lifecycle_management_opatch",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.0.1.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "insurance_policy_administration_j2ee",
"vendor": "oracle",
"versions": [
{
"lessThan": "11.1.0.15",
"status": "affected",
"version": "11.0.2.25",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jd_edwards_enterpriseone_orchestrator",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "9.2.4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "primavera_unifier",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "16.1"
},
{
"status": "affected",
"version": "16.2"
},
{
"lessThanOrEqual": "17.12",
"status": "affected",
"version": "17.7",
"versionType": "custom"
},
{
"status": "affected",
"version": "18.8"
},
{
"status": "affected",
"version": "19.12"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_merchandising_system",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "15.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_sales_audit",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_service_backbone",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
},
{
"status": "affected",
"version": "15.0"
},
{
"status": "affected",
"version": "16.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_xstore_point_of_service",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "19.0",
"status": "affected",
"version": "15.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "weblogic_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.1.4.0",
"status": "affected",
"version": "12.2.1.3.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-36182",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-25T04:00:52.974482Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:12:28.014Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.677Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:20:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36182",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/3004",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/3004"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36182",
"datePublished": "2021-01-06T22:30:22",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36183 (GCVE-0-2020-36183)
Vulnerability from cvelistv5 – Published: 2021-01-06 22:30 – Updated: 2024-08-04 17:23
VLAI?
Summary
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3003"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:21:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/3003"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36183",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/3003",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/3003"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36183",
"datePublished": "2021-01-06T22:30:15",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36184 (GCVE-0-2020-36184)
Vulnerability from cvelistv5 – Published: 2021-01-06 22:30 – Updated: 2024-08-04 17:23
VLAI?
Summary
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jackson-databind",
"vendor": "fasterxml",
"versions": [
{
"lessThan": "2.9.10.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "debian_linux",
"vendor": "debian",
"versions": [
{
"status": "affected",
"version": "8.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "steelstore_cloud_integrated_storage",
"vendor": "netapp",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "agile_plm",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "9.3.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autovue_for_agile_product_lifecycle_management",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "21.0.2"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "banking_digital_experience",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "18.3",
"status": "affected",
"version": "18.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.2",
"status": "affected",
"version": "19.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "20.1"
},
{
"lessThanOrEqual": "2.9.0",
"status": "affected",
"version": "2.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_calendar_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.0.5.0",
"status": "affected",
"version": "8.0.0.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_diameter_signaling_router",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_element_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_evolved_communications_application_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "7.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_instant_messaging_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "10.0.1.4.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "6.0.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_session_route_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "enterprise_manager_base_platform",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "13.4.0.0",
"status": "affected",
"version": "13.3.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_analytical_applications_infrastructure",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_institutional_performance_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
},
{
"status": "affected",
"version": "8.0.7"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_price_creation_and_discovery",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.7",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_retail_customer_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "global_lifecycle_management_opatch",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.0.1.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "insurance_policy_administration_j2ee",
"vendor": "oracle",
"versions": [
{
"lessThan": "11.1.0.15",
"status": "affected",
"version": "11.0.2.25",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jd_edwards_enterpriseone_orchestrator",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "9.2.4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "primavera_unifier",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "16.1"
},
{
"status": "affected",
"version": "16.2"
},
{
"lessThanOrEqual": "17.12",
"status": "affected",
"version": "17.7",
"versionType": "custom"
},
{
"status": "affected",
"version": "18.8"
},
{
"status": "affected",
"version": "19.12"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_merchandising_system",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "15.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_sales_audit",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_service_backbone",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
},
{
"status": "affected",
"version": "15.0"
},
{
"status": "affected",
"version": "16.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_xstore_point_of_service",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "19.0",
"status": "affected",
"version": "15.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "weblogic_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.1.4.0",
"status": "affected",
"version": "12.2.1.3.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-36184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-25T04:00:50.943406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:12:27.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.423Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2998"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:21:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2998"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36184",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/2998",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/2998"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36184",
"datePublished": "2021-01-06T22:30:07",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36185 (GCVE-0-2020-36185)
Vulnerability from cvelistv5 – Published: 2021-01-06 22:29 – Updated: 2024-08-04 17:23
VLAI?
Summary
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.472Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2998"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:21:28",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2998"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36185",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/2998",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/2998"
},
{
"name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36185",
"datePublished": "2021-01-06T22:29:59",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}